Home / server / Questions / 485340
In Process
Thomas L Holaday
Asked: 2013-03-07 11:03:16 +0800 CST

Revision control of sensitive configuration files

  • 772

Consider a file with user-read-only permissions, for example ...

-r--------+ admin secrets.txt

How can such a file be put under revision control, so that its contents remain secret, even from the revision control administrator?

git

3 Answers

  1. Use GPG to encrypt the file before commiting to your repo.

    Yes, it's cumbersome (you won't be able to diff/merge/etc. without decrypting first) but I can't conceive of any other way to skin this cat.

    • 7

  2. Store the secrets in a separate file (not under version control), and insert the secret content into the other file with a script or Puppet-like tool.

    Working from this other answer, a simple example could be:

    netjoin.sh.erb (stored in version control):

    #!/bin/sh
# Usage: netjoin.sh /path/to/samba/binary/net pdc-hostname
NET=$1
SERVER=$2
HOSTNAME=`facter hostname`-`facter operatingsystem`
PASSWORD=<%= scope.function_generate("/etc/puppet/auth/getpwd", "ad", "netjoin") %>
${NET} rpc user delete ${HOSTNAME}\$ -U netjoin%${PASSWORD} -S ${SERVER}
${NET} rpc join -U netjoin%${PASSWORD} -S ${SERVER}
/bin/rm -f $0

    /etc/puppet/auth/getpwd (can also be stored in version control):

    #!/bin/bash
# /etc/puppet/auth/getpwd
if [ "$#" -ne 2 ]; then
    echo "Usage: $0 <db> <user>"
    exit 1
fi
if [ ! -x /usr/bin/pwgen ]; then
    echo "missing pwgen!" >&2
    exit 1
fi
workdir=`dirname $0`
workfile="$workdir/passwd_$1"
[ ! -r $workfile ] && exit 2
get_name="$2"
# get password from storage
pwd=`egrep "^${get_name}:" ${workfile} | cut -d: -f2-`
if [ "$pwd" = "" ]; then
    # generate new password & store it
    len=$((60 + $RANDOM % 9 ))
    pwd=$(/usr/bin/pwgen -s $len 1)
    echo "${get_name}:${pwd}" >> $workfile
fi
# echo password (without new line)
echo -n "$pwd"

    /etc/puppet/auth/passwd_ad (absolutely not in version control):

    netjoin:0Gb2iHFsnXZUnsyr0XSMxVvJVJ64zqpBzLFZXEoss5XVM9vTHWgvLHokBKclC
    • 2

  3. Be careful when you version sensitive files with Perforce - since Perforce doesn't deal with file permission other than the executable bit depending your umask you will be surprised to see file permissions will get messed up as you check them into Perforce:

    $ p4 init
Matching server configuration from 'perforce:1666':
case-sensitive (-C0), unicode (-xi)
Server lester-dvcs-1449094406 saved.
$ date > x 
$ l x      
-rw-rw-r--. 1 lester lester 30 Dec  3 09:13 x
$ chmod 400 x
$ l x        
-r--------. 1 lester lester 30 Dec  3 09:13 x
$ umask  
002
$ p4 add x; p4 submit -d add 
//stream/main/x#1 - opened for add
Submitting change 1.
Locking 1 files ...
add //stream/main/x#1
Change 1 submitted.
$ l x                        
-rw-rw-r--. 1 lester lester 30 Dec  3 09:13 x   <-- oops!

    If anyone have a good workaround I'm all ears! In the meantime I'm using mercurial/git to version my secret files (/etc actually) and push the the repo somewhere safe - at least permissions of my local files will remain unchanged.

    • 0