[systemd-devel] How to get Credential into Environment variable?
chandler
scar at riseup.net
Sat Oct 21 19:05:16 UTC 2023
Well over the past month I've searched and searched and read and read
but there appears to be no way to use `Environment` or `EnvironmentFile`
options when using encrypted credentials. Can't use `ExecStartPre`
either. I'm sick of all the trial and error at this point, my original
thought is the only way I've figured to do this:
1) Use `SetCredentialEncrypted=secret: [...]`
2) `ExecStart` option has to be something like this then:
`ExecStart=/usr/bin/sh -c 'SEC=$(cat %d/secret) mySvc <mySvc options>'`
I don't think this poses any security concerns as far as leaking `$SEC`
or `%d/secret` to regular users on the system, but let me know if you
notice anything. `DynamicUser=true` is set. `systemctl status
mySvc.service` shows:
CGroup: /system.slice/mySvc.service
├─<PID> /usr/bin/sh -c "SEC=\"\$(cat
/run/credentials/mySvc.service/secret)\" mySvc <mySvc options>"
As a regular user `systemctl show mySvc.service` has a similar entry
for `ExecStart` and `ExecStartEx` options.
Likewise, `ps` shows `/usr/bin/sh -c SEC="$(cat
/run/credentials/mySvc.service/secret)"`.
Finally, `/proc/<PID>` has a number of files with o+r permission. Not
sure where any leaks could be there besides `environ` file, which does
have `SEC=1234` in it but with restrictive mode 600 on it too.
chandler wrote on 9/26/23 4:39 AM:
> Hi all,
>
> I'm not quite grasping something here... I've just learned about
> `systemd-creds` and now trying to utilize it with a service which
> depends on a secret stored in an environment variable (or passed as a
> CLI option).
>
> Normally I could use a line like:
>
> `Environment=SEC=1234`
>
> Now I've:
>
> 1) Given "1234" to `systemd-ask-password -n | systemd-creds encrypt
> --name=secret --pretty - -`
> 2) Put the resulting `SetCredentialEncrypted=secret: ...` under the
> [Service] section
> 3) Failing with `Environment=SEC=%d/secret`
>
> Now `SEC=/run/credentials/myService.service/secret` but I need the value
> from the file, which I verified with a simple `ExecStart=checkEnv.sh`
> which runs `cat ${SEC}` which prints `1234`.
>
> Also tried putting the secret, e.g. "1234", into a temp file `/tmp/sec`
> and ran:
>
> `systemd-creds encrypt --name=secret --pretty /tmp/sec -`
>
> but the results are the same.
>
> How to get `SEC=1234` basically? I have to use `ExecStartPre=` and run
> a pre-script that defines `SEC` with shell code? Something like
> `SEC=$(cat %d/secret)` is all that's needed right? Or it needs to be
> exported too at this point? Doesn't that defeat the purpose of
> `systemd-creds` now? Maybe I can just put that in the `ExecStart=` line
> instead... will keep trying in the mean time
>
> Thanks
>
More information about the systemd-devel
mailing list