Well over the past month I've searched and searched and read and read
but there appears to be no way to use `Environment` or `EnvironmentFile`
options when using encrypted credentials. Can't use `ExecStartPre`
either. I'm sick of all the trial and error at this point, my original
thought is the only way I've figured to do this:
1) Use `SetCredentialEncrypted=secret: [...]`
2) `ExecStart` option has to be something like this then:
`ExecStart=/usr/bin/sh -c 'SEC=$(cat %d/secret) mySvc <mySvc options>'`
I don't think this poses any security concerns as far as leaking `$SEC`
or `%d/secret` to regular users on the system, but let me know if you
notice anything. `DynamicUser=true` is set. `systemctl status
mySvc.service` shows:
CGroup: /system.slice/mySvc.service
├─<PID> /usr/bin/sh -c "SEC=\"\$(cat
/run/credentials/mySvc.service/secret)\" mySvc <mySvc options>"
As a regular user `systemctl show mySvc.service` has a similar entry
for `ExecStart` and `ExecStartEx` options.
Likewise, `ps` shows `/usr/bin/sh -c SEC="$(cat
/run/credentials/mySvc.service/secret)"`.
Finally, `/proc/<PID>` has a number of files with o+r permission. Not
sure where any leaks could be there besides `environ` file, which does
have `SEC=1234` in it but with restrictive mode 600 on it too.
chandler wrote on 9/26/23 4:39 AM:
> Hi all,
>
> I'm not quite grasping something here... I've just learned about
> `systemd-creds` and now trying to utilize it with a service which
> depends on a secret stored in an environment variable (or passed as a
> CLI option).
>
> Normally I could use a line like:
>
> `Environment=SEC=1234`
>
> Now I've:
>
> 1) Given "1234" to `systemd-ask-password -n | systemd-creds encrypt
> --name=secret --pretty - -`
> 2) Put the resulting `SetCredentialEncrypted=secret: ...` under the
> [Service] section
> 3) Failing with `Environment=SEC=%d/secret`
>
> Now `SEC=/run/credentials/myService.service/secret` but I need the value
> from the file, which I verified with a simple `ExecStart=checkEnv.sh`
> which runs `cat ${SEC}` which prints `1234`.
>
> Also tried putting the secret, e.g. "1234", into a temp file `/tmp/sec`
> and ran:
>
> `systemd-creds encrypt --name=secret --pretty /tmp/sec -`
>
> but the results are the same.
>
> How to get `SEC=1234` basically? I have to use `ExecStartPre=` and run
> a pre-script that defines `SEC` with shell code? Something like
> `SEC=$(cat %d/secret)` is all that's needed right? Or it needs to be
> exported too at this point? Doesn't that defeat the purpose of
> `systemd-creds` now? Maybe I can just put that in the `ExecStart=` line
> instead... will keep trying in the mean time
>
> Thanks
>
Re: How to get Credential into Environment variable?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: How to get Credential into Environment variable?
- From: chandler <scar@xxxxxxxxxx>
- Date: Sat, 21 Oct 2023 12:05:16 -0700
- In-reply-to: <57c31701-445e-4997-a8b2-a4f0b37d5344@riseup.net>
- References: <57c31701-445e-4997-a8b2-a4f0b37d5344@riseup.net>
- References:
- How to get Credential into Environment variable?
- From: chandler
- How to get Credential into Environment variable?
- Prev by Date: Re: Debian Repeals The Merged "/usr" Movement Moratorium
- Next by Date: How to use systemd-growfs* services with GPT automount
- Previous by thread: How to get Credential into Environment variable?
- Next by thread: Re: How to get Credential into Environment variable?
- Index(es):
 |