So basically the issue is that we have an "ssh jump box" (well more than one) which I'm sure many of you are familiar with. They are only used as an ssh jump point to other servers. We have a lot of handy, shared scripts there, but some of them utilize API connectors to remote services and as such have api tokens and passwords in them. For that reason, I want these to be executable, but not readable by all users on this server. (it's not an issue of hiding source code, I want everyone to be able to see it, just not the sensitive bits, for pure security reasons)
But it's not really possible to make a script truly executable-only, unless I implement some sort of Client/Server model, where the local execution of a 'script' would merely make a request to a another more privileged (also local) user, that listens for requests, and executes the script on their behalf, and returns the output. (just like a web client/server model)
This is the conclusion that I've come to anyway -- please let me know if the premise is flawed.
Assuming I'm not wrong, what is the best choice for this kind of setup? On the jump box, should I run lighttpd or nginx bound to localhost to accomplish this? Or is there something better suited for this kind of problem? I've been looking into "Task Queue" solutions like RabbitMQ, which might add value to this project, but I think I would still need some kind of server daemon that handles and routes the script execution requests from users.
Am I overthinking this?
I hope I've explained that clearly. Also I don't know the best subreddit to ask this, so if there's a better one let me know.
[link][26 comments]