Rita via plug on 11 Jan 2024 08:14:20 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] secure variables in bash


where can I read more about this? sounds interesting

On Thu, Jan 11, 2024 at 10:23 AM Michael Lazin via plug <plug@lists.phillylinux.org> wrote:

You can use a token such as a PEM file instead of an API key if your application supports it.  This is really standard best practice instead of putting an API key in your script.  I hope this helps.  

Thanks,

Michael Lazin 
Show quoted text

On Thu, Jan 11, 2024, 9:06 AM Rich Freeman via plug <plug@lists.phillylinux.org> wrote:
On Thu, Jan 11, 2024 at 8:54 AM Rita via plug
<plug@lists.phillylinux.org> wrote:
>
> I have been using an environment variable. It works. Just not secure.
> I can also use a file and set a restrictive mode, and delete the file afterwards.

Yeah, environment beats command line, but it isn't really an ideal
place to store stuff.  It is pretty common all the same, and I'm not
sure if bash has a better alternative (I don't use it enough for that
sort of thing).

A lot of docker/k8s containers use environment to pass things that
aren't ideal as well, in part because of a lack of alternatives.  k8s
of course has other ways to provide secrets, but it is rare to see
containers built specifically for k8s, at least in general
circulation.

As Bhaskar hinted at - there is a bit more to the question but you can
at least make the problem harder for an attacker.  Environment is much
easier to get at.  If you're going to start scanning process memory
space that seems like a harder level, but maybe that is just because
of a lack of tooling.  I'm not sure in practice how many linux access
controls there are that would truly make it harder to access process
memory than process environment.

--
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug


--
--- Get your facts first, then you can distort them as you please.--
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug