0

I work in small company. When i am going on holiday i had to take root access to my junior. That junior could give access to another man. Unfortunately I can't control this proccess. I would like that they could't see more than they need. For example /etc/postfix/main.cf contains string : smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd where sasl_password is encrypted pass.

There is data (password, user accounts) that i would like keep encrypted.

For example: 

>cat ~/.my.cnf

[mysql]
prompt='mysqlserver>'

[client]
password=some_very_secure_password

[mysqldump]
user=MysqlBackupUser
password=some_very_secure_password

Need this:

[client]
password=** link_to_file_with_encrypted_password **

[mysqldump]
user=MysqlBackupUser
password=** link_to_file_with_encrypted_password **
Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
Stepchik
  • 99
  • 4
  • 11
  • 1
    Who are you trying to hide this data from? – EEAA Aug 13 '13 at 14:00
  • Even if you did manage to do that the application that uses the file wouldn't understand it. So you could use that as a transit/storage format but you'd need to undo it for actual application use. – Etan Reisner Aug 13 '13 at 14:00
  • When i have been configured postfix: i saw that smtp account setting not placed as plain text - only just encrypted. Is there way do same things everywhere i need? – Stepchik Aug 13 '13 at 14:04
  • No, there is no universal standard way to do this - each application has its own set of capabilities. That said, who are you trying to hide this information from? If you can't trust people that have access to these files on your server, then they probably shouldn't have access at all. – EEAA Aug 13 '13 at 14:07
  • I work in small company. When i am going on holiday i had to take root access to my junior. That junior can get access to another man. Unfortunatelly i can't rule this proccess. That I want that they could't see more than they need. For example /etc/postfix/main.cf contains string : smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd where sasl_password is encrypted pass. – Stepchik Aug 13 '13 at 14:17
  • 1
    I have to agree: if your junior is not trustworthy enough to be working in this position, he should not be working there. – Michael Hampton Aug 13 '13 at 14:34
  • 1
    If you can't control who gets the password while you're gone then you can't be responsible for what they do either. When you get back, change the password so they couldn't know anymore. That's really all you can do. – Chris S Aug 13 '13 at 14:35

1 Answers1

7

Hire who you trust. Trust who you hire.

If you don't trust your junior with this information, then I'm wondering why he's employed there.

You can't solve a social problem with a technical solution.

Tom O'Connor
  • 27,480
  • 10
  • 73
  • 148
  • You can always change the password at a later date, but you've gotta give junior members of staff a chance to step up and prove themeselves, otherwise what are they there for? – Tom O'Connor Aug 14 '13 at 07:19
  • Most commenters are missing the point here. While in this instance Stepchik sees a security problem in granting someone else access to the password, you're a fool if you just trust others. That's how major security breaches occur. If you just trusted your co-workers, why then not use the same user/password for everyone? So think a little more before simply firing off a response to trust a little more. – Lifeboy Jul 11 '15 at 11:52