[systemd-devel] Environment-variable security?
aleivag
aleivag at gmail.com
Mon Nov 12 20:41:52 UTC 2018
You can define those secrets on /etc/robotsecret.txt, and then on your unit
you do `EnvironmentFile=/etc/robotsecret.txt`
then you protect /etc/robotsecret.txt as you would normally do
Alvaro Leiva Geisse
On Mon, Nov 12, 2018 at 4:49 PM David Parsley <parsley at linuxjedi.org> wrote:
> It's a fairly common practice to configure services and provide secrets
> with environment variables. For instance, both Hubot (made by Github) and
> Gopherbot (made by me) can get their Slack token from an environment
> variable. In my case, github.com/lnxjedi/ansible-role-gopherbot stores
> the Slack bot token with "Environtment=GOPHER_SLACK_TOKEN=xxx" in the
> systemd unit file. I had hoped to keep this info to the robot user by
> marking the unit file world-inaccessible. I was dismayed to see the log
> warning about values being accessible via the API, though super glad that
> my unprivileged user couldn't fetch it with a simple systemctl cat
> gopherbot. I know very little about DBUS or any APIs for systemd, so
> wanted to ask - is there some means by which a non-privileged user can
> access the values provided with "Environment=..." lines? Can I disable
> this by disabling dbus-daemon on server systems?
>
> Thanks,
> -David
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20181112/2596ea31/attachment.html>
More information about the systemd-devel
mailing list