<div dir="ltr">You can define those secrets on /etc/robotsecret.txt, and then on your unit you do `<span style="color:rgb(0,0,0);font-family:monospace;font-size:medium">EnvironmentFile=/etc/robotsecret.txt</span>`<br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><br></div><div>then you protect /etc/robotsecret.txt as you would normally do</div><div dir="ltr"><br>Alvaro Leiva Geisse<br></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Nov 12, 2018 at 4:49 PM David Parsley <<a href="mailto:parsley@linuxjedi.org">parsley@linuxjedi.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><span style="color:rgb(36,41,46);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:14px">It's a fairly common practice to configure services and provide secrets with environment variables. For instance, both Hubot (made by Github) and Gopherbot (made by me) can get their Slack token from an environment variable. </span><span style="color:rgb(36,41,46);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:14px">In my case, <a href="http://github.com/lnxjedi/ansible-role-gopherbot" target="_blank">github.com/lnxjedi/ansible-role-gopherbot</a> stores the Slack bot token with "Environtment=GOPHER_SLACK_TOKEN=xxx" in the systemd unit file. I had hoped to keep this info to the robot user by marking the unit file world-inaccessible. I was dismayed to see the log warning about values being accessible via the API, though super glad that my unprivileged user couldn't fetch it with a simple </span><code style="box-sizing:border-box;font-family:SFMono-Regular,Consolas,"Liberation Mono",Menlo,Courier,monospace;font-size:11.9px;background-color:rgba(27,31,35,0.05);border-radius:3px;margin:0px;padding:0.2em 0.4em;color:rgb(36,41,46)">systemctl cat gopherbot</code><span style="color:rgb(36,41,46);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:14px">. I know very little about DBUS or any APIs for systemd, so wanted to ask - is there some means by which a non-privileged user can access the values provided with "Environment=..."</span><span style="color:rgb(36,41,46);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:14px"> lines? Can I disable this by disabling dbus-daemon on server systems?</span></div><div><span style="color:rgb(36,41,46);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:14px"><br></span></div><div><span style="color:rgb(36,41,46);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:14px">Thanks,</span></div><div><span style="color:rgb(36,41,46);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:14px">-David</span></div></div>
_______________________________________________<br>
systemd-devel mailing list<br>
<a href="mailto:systemd-devel@lists.freedesktop.org" target="_blank">systemd-devel@lists.freedesktop.org</a><br>
<a href="https://lists.freedesktop.org/mailman/listinfo/systemd-devel" rel="noreferrer" target="_blank">https://lists.freedesktop.org/mailman/listinfo/systemd-devel</a><br>
</blockquote></div>