restrict rpm query

[wiad]

is there any way to restrict rpm queries so users can't use the "--scripts" argument?

why: I use the %post section in the rpm spec file to insert db-password in a file via sed. The whole reason for this is that our developers build the package but they arent allowed to know the password for their production db. They deliver the package to IT and we rebuild it and insert the password (via commandline with --define). its all a bit complicated but the bottom line is that we want to protect our passwords. However, if you do a rpm query with the --scripts argument the password is seen in cleartext.

So the easy way out is if there is a (native) way to restrict users from using the "--scripts" argument. Or maybe some way to tag rows in the %post section so they are hidden from queries?

//Adam

[Irithori]

Afaik, not possible.

I have similar rules at my workplace (devs have no access to production environment, safe for logs) and we also use custom RPMs to package our (web)applications.

Passwords and db connection strings are handled via config files per application.
The RPM only contains a dummy config.

The real distribution to the different environments (dev/qa/production) happens via cfengine.

This way, config of the apps is decoupled from software deployment,
which makes it possible to change this config at runtime.
Also, cfengine provides a centralized way of changing the application config of X webserver at once.

We use cfengine mostly out of historical reasons.
If you decide to go that route, my advice would be puppet. But ymmv

[wiad]

thanks for your reply - we currently use a homebrew config management system with similar capabilites as cfengine and puppet, but are in the process of migrating to puppet. So far we have tried to avoid using it for application management though, but maybe we need to rethink for this specific need.

[scentos]

puppet gets my vote