[systemd-devel] Environment-variable security?

Lennart Poettering lennart at poettering.net
Wed Nov 14 08:43:23 UTC 2018


On Mi, 14.11.18 02:17, Marek Howard (marekhwd at gmail.com) wrote:

> > It is not *that* common to pass secrets via environment variable but
> > it's nothing unusual, and many programs offer this interface. OpenVPN
> > comes to bind. Where such interface is offered, propagating down the
> > process tree is usually not a concern, because such programs usually
> > don't fork "untrusted" programs.

Well, what's "trusted" or "untrusted" is in the eye of the beholder,
and you never know what your libraries do in the background.

What is common or not is orthogonal to what is a good idea and what is
not.

> If you want some examples:
> 
> borgbackup - BORG_PASSPHRASE
> restic - RESTIC_PASSWORD
> openssl - env:var
> rsync - RSYNC_PASSWORD
> hub - GITHUB_PASSWORD, GITHUB_TOKEN
> rclone - RCLONE_CONFIG_PASS
> smbclient - PASSWD

Well, if you look at those, at least some of them even take the
password from the command line (for example: smbclient). And as
hopefully everyone knows any information included in the command line
is readily visible to everybody else (including unprivileged) on the
system with "ps". And yes, tools doing that tend to override them
quickly after reading, but that's still awfully racy.

I mean, seriously, people do lots of stuff. It doesn't mean that all
what people do is actually a good idea or just safe.

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list