Michael Lazin via plug on 11 Jan 2024 07:23:21 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] secure variables in bash

You can use a token such as a PEM file instead of an API key if your application supports it.  This is really standard best practice instead of putting an API key in your script.  I hope this helps.  


Michael Lazin 
Show quoted text

On Thu, Jan 11, 2024, 9:06 AM Rich Freeman via plug <plug@lists.phillylinux.org> wrote:
On Thu, Jan 11, 2024 at 8:54 AM Rita via plug
<plug@lists.phillylinux.org> wrote:
> I have been using an environment variable. It works. Just not secure.
> I can also use a file and set a restrictive mode, and delete the file afterwards.

Yeah, environment beats command line, but it isn't really an ideal
place to store stuff.  It is pretty common all the same, and I'm not
sure if bash has a better alternative (I don't use it enough for that
sort of thing).

A lot of docker/k8s containers use environment to pass things that
aren't ideal as well, in part because of a lack of alternatives.  k8s
of course has other ways to provide secrets, but it is rare to see
containers built specifically for k8s, at least in general

As Bhaskar hinted at - there is a bit more to the question but you can
at least make the problem harder for an attacker.  Environment is much
easier to get at.  If you're going to start scanning process memory
space that seems like a harder level, but maybe that is just because
of a lack of tooling.  I'm not sure in practice how many linux access
controls there are that would truly make it harder to access process
memory than process environment.

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug