[systemd-devel] How to get Credential into Environment variable?

chandler scar at riseup.net
Sat Oct 21 19:05:16 UTC 2023


	Well over the past month I've searched and searched and read and read
but there appears to be no way to use `Environment` or `EnvironmentFile`
options when using encrypted credentials.  Can't use `ExecStartPre`
either.  I'm sick of all the trial and error at this point, my original
thought is the only way I've figured to do this:

1) Use `SetCredentialEncrypted=secret: [...]`
2) `ExecStart` option has to be something like this then:
`ExecStart=/usr/bin/sh -c 'SEC=$(cat %d/secret)  mySvc <mySvc options>'`

	I don't think this poses any security concerns as far as leaking `$SEC`
or `%d/secret` to regular users on the system, but let me know if you
notice anything.  `DynamicUser=true` is set.  `systemctl status
mySvc.service` shows:

	CGroup: /system.slice/mySvc.service
		├─<PID> /usr/bin/sh -c "SEC=\"\$(cat
/run/credentials/mySvc.service/secret)\"   mySvc <mySvc options>"

	As a regular user `systemctl show mySvc.service` has a similar entry
for `ExecStart` and `ExecStartEx` options.

	Likewise, `ps` shows `/usr/bin/sh -c SEC="$(cat
/run/credentials/mySvc.service/secret)"`.

	Finally, `/proc/<PID>` has a number of files with o+r permission.  Not
sure where any leaks could be there besides `environ` file, which does
have `SEC=1234` in it but with restrictive mode 600 on it too.



chandler wrote on 9/26/23 4:39 AM:
> Hi all,
> 
>     I'm not quite grasping something here... I've just learned about
> `systemd-creds` and now trying to utilize it with a service which
> depends on a secret stored in an environment variable (or passed as a
> CLI option).
> 
> Normally I could use a line like:
> 
> `Environment=SEC=1234`
> 
> Now I've:
> 
> 1) Given "1234" to `systemd-ask-password -n | systemd-creds encrypt
> --name=secret --pretty - -`
> 2) Put the resulting `SetCredentialEncrypted=secret: ...` under the
> [Service] section
> 3) Failing with `Environment=SEC=%d/secret`
> 
> Now `SEC=/run/credentials/myService.service/secret` but I need the value
> from the file, which I verified with a simple `ExecStart=checkEnv.sh`
> which runs `cat ${SEC}` which prints `1234`.
> 
> Also tried putting the secret, e.g. "1234", into a temp file `/tmp/sec`
> and ran:
> 
> `systemd-creds encrypt --name=secret --pretty /tmp/sec -`
> 
> but the results are the same.
> 
> How to get `SEC=1234` basically?  I have to use `ExecStartPre=` and run
> a pre-script that defines `SEC` with shell code?  Something like
> `SEC=$(cat %d/secret)` is all that's needed right?  Or it needs to be
> exported too at this point?  Doesn't that defeat the purpose of
> `systemd-creds` now?  Maybe I can just put that in the `ExecStart=` line
> instead... will keep trying in the mean time
> 
> Thanks
> 


More information about the systemd-devel mailing list