[systemd-devel] Environment-variable security?

David Parsley parsley at linuxjedi.org
Mon Nov 12 19:49:06 UTC 2018


It's a fairly common practice to configure services and provide secrets
with environment variables. For instance, both Hubot (made by Github) and
Gopherbot (made by me) can get their Slack token from an environment
variable. In my case, github.com/lnxjedi/ansible-role-gopherbot stores the
Slack bot token with "Environtment=GOPHER_SLACK_TOKEN=xxx" in the systemd
unit file. I had hoped to keep this info to the robot user by marking the
unit file world-inaccessible. I was dismayed to see the log warning about
values being accessible via the API, though super glad that my unprivileged
user couldn't fetch it with a simple systemctl cat gopherbot. I know very
little about DBUS or any APIs for systemd, so wanted to ask - is there some
means by which a non-privileged user can access the values provided with
"Environment=..." lines? Can I disable this by disabling dbus-daemon on
server systems?

Thanks,
-David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20181112/4a1d9948/attachment.html>


More information about the systemd-devel mailing list