| Rich Freeman via plug on 11 Jan 2024 06:06:47 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] secure variables in bash |
On Thu, Jan 11, 2024 at 8:54 AM Rita via plug <plug@lists.phillylinux.org> wrote: > > I have been using an environment variable. It works. Just not secure. > I can also use a file and set a restrictive mode, and delete the file afterwards. Yeah, environment beats command line, but it isn't really an ideal place to store stuff. It is pretty common all the same, and I'm not sure if bash has a better alternative (I don't use it enough for that sort of thing). A lot of docker/k8s containers use environment to pass things that aren't ideal as well, in part because of a lack of alternatives. k8s of course has other ways to provide secrets, but it is rare to see containers built specifically for k8s, at least in general circulation. As Bhaskar hinted at - there is a bit more to the question but you can at least make the problem harder for an attacker. Environment is much easier to get at. If you're going to start scanning process memory space that seems like a harder level, but maybe that is just because of a lack of tooling. I'm not sure in practice how many linux access controls there are that would truly make it harder to access process memory than process environment. -- Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug