Re: Environment-variable security?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Marek Howard píše v St 14. 11. 2018 v 01:35 +0100:
> Lennart Poettering píše v Út 13. 11. 2018 v 15:17 +0100:
> > On Di, 13.11.18 07:49, David Parsley (parsley@xxxxxxxxxxxxx) wrote:
> > Well, you are of course welcome to ignore whatever I say, but again,
> > environment blocks are leaky, they propagate down the process tree,
> > and are *not* generally understood as being secret.
> 
> It is not *that* common to pass secrets via environment variable but
> it's nothing unusual, and many programs offer this interface. OpenVPN
> comes to bind. Where such interface is offered, propagating down the
> process tree is usually not a concern, because such programs usually
> don't fork "untrusted" programs.
> 
> It's quite handy way to pass secrets and as I said above, there's
> really no risk if it's done in cases where it makes sense. Of course
> systemd leaking it to everyone makes it not usable with systemd, but
> that's not really a problem with environment variables.

If you want some examples:

borgbackup - BORG_PASSPHRASE
restic - RESTIC_PASSWORD
openssl - env:var
rsync - RSYNC_PASSWORD
hub - GITHUB_PASSWORD, GITHUB_TOKEN
rclone - RCLONE_CONFIG_PASS
smbclient - PASSWD

Again, it's not so common, but it's not unusual and it's not insecure
if you know what you're doing (which you usually are when you have
powers to create system services).

_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux