On Mo, 12.11.18 17:41, aleivag (aleivag@xxxxxxxxx) wrote: > You can define those secrets on /etc/robotsecret.txt, and then on your unit > you do `EnvironmentFile=/etc/robotsecret.txt` > > then you protect /etc/robotsecret.txt as you would normally do Don't do this. This is only partially secure, and that only by coincidence, not by design. env vars are generally not considered secrets, and will still propagate down the tree. If you have secrets pick a place where they are strictly access controlled, and where this access control is built into the concept itself. Files on disk work (with their age old UNIX access mode) and kernel keyrings work too (they have been designed just for this purpose). env vars do not qualify. Neither in understanding of its users, not in actual code. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: Environment-variable security?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Environment-variable security?
- From: Lennart Poettering <lennart@xxxxxxxxxxxxxx>
- Date: Tue, 13 Nov 2018 11:18:22 +0100
- Cc: Systemd <systemd-devel@xxxxxxxxxxxxxxxxxxxxx>
- In-reply-to: <CADByNOO79JVYeVk6u3jcxqrjWDjvsrMbXKQt0vt_gmQeqnJ1tQ@mail.gmail.com>
- References: <CA+WeKeyKHb2dm8=HZc7h=tTwy7M_seoNGSSY_+zcN_bErXasKg@mail.gmail.com> <CADByNOO79JVYeVk6u3jcxqrjWDjvsrMbXKQt0vt_gmQeqnJ1tQ@mail.gmail.com>
- Follow-Ups:
- Re: Environment-variable security?
- From: David Parsley
- Re: Environment-variable security?
- References:
- Environment-variable security?
- From: David Parsley
- Re: Environment-variable security?
- From: aleivag
- Environment-variable security?
- Prev by Date: Re: Environment-variable security?
- Next by Date: Re: Environment-variable security?
- Previous by thread: Re: Environment-variable security?
- Next by thread: Re: Environment-variable security?
- Index(es):
 |