Michael Lazin via plug on 11 Jan 2024 07:23:21 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] secure variables in bash |
On Thu, Jan 11, 2024 at 8:54 AM Rita via plug
<plug@lists.phillylinux.org> wrote:
>
> I have been using an environment variable. It works. Just not secure.
> I can also use a file and set a restrictive mode, and delete the file afterwards.
Yeah, environment beats command line, but it isn't really an ideal
place to store stuff. It is pretty common all the same, and I'm not
sure if bash has a better alternative (I don't use it enough for that
sort of thing).
A lot of docker/k8s containers use environment to pass things that
aren't ideal as well, in part because of a lack of alternatives. k8s
of course has other ways to provide secrets, but it is rare to see
containers built specifically for k8s, at least in general
circulation.
As Bhaskar hinted at - there is a bit more to the question but you can
at least make the problem harder for an attacker. Environment is much
easier to get at. If you're going to start scanning process memory
space that seems like a harder level, but maybe that is just because
of a lack of tooling. I'm not sure in practice how many linux access
controls there are that would truly make it harder to access process
memory than process environment.
--
Rich
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug