[systemd-devel] How to get Credential into Environment variable?
chandler
scar at riseup.net
Sat Nov 4 22:36:59 UTC 2023
Lennart Poettering wrote on 10/24/23 4:51 AM:
> what you are looking for is not supported and we won't support it, because it defeats one main design goal of credentials: to require access control on access, and not allow "greedy" inheritance down the process tree.
>
> Sorry if that's disappointing!
>
> If a service insists on reading its credentials from an env var or cmdline and supports nothing else this is of course disappointing, but it's simply not compatible with the credentials logic, without manual glue scripting.
I totally agree Lennart! I was definitely getting frustrated with
the config. Thank you for making it clear. Unbelievable an app would
even be coded today with command line options for secrets!
The sad part is this particular app is the Telegram Bot API
<https://github.com/tdlib/telegram-bot-api> and Telegram i thought was
considered one of the groups more focused on security, I guess not in
this case... At least it's open source ... I should be able to just add
a reference to the code somewhere like you said, to
$CREDENTIALS_DIRECTORY/id and $CREDENTIALS_DIRECTORY/hash for example,
somewhere around here
<https://github.com/tdlib/telegram-bot-api/blob/5d88023dd1e65b7d0926a71aea4487d6cac3bf13/telegram-bot-api/telegram-bot-api.cpp#L213>
maybe?
If you (or anyone else) has any ideas off the top of your heads let
me know. Otherwise I'll probably be reporting this as an issue looking
for more secure solutions. Thanks again.
Best,
Chandler
More information about the systemd-devel
mailing list