Lennart Poettering píše v Út 13. 11. 2018 v 15:17 +0100: > On Di, 13.11.18 07:49, David Parsley (pars...@linuxjedi.org) wrote: > > > I disagree; privacy of environment variables to individual users on the > > system is as fundamental as Unix file permissions. If a privileged process > > (systemd) is configured to start a service and provide environment > > variables to an unprivileged service account, it is a reasonable > > expectation that said environment is only available to root and the service > > account (and it's child processes), and not other arbitrary > > users/processes. From a system security engineering perspective, it would > > be better if systemd didn't start a service at all with 0600 on the unit > > file, rather than violate the principle of Unix environment privacy, and in > > fact should actually just check the world-read bit. > > Well, you are of course welcome to ignore whatever I say, but again, > environment blocks are leaky, they propagate down the process tree, > and are *not* generally understood as being secret.
It is not *that* common to pass secrets via environment variable but it's nothing unusual, and many programs offer this interface. OpenVPN comes to bind. Where such interface is offered, propagating down the process tree is usually not a concern, because such programs usually don't fork "untrusted" programs. It's quite handy way to pass secrets and as I said above, there's really no risk if it's done in cases where it makes sense. Of course systemd leaking it to everyone makes it not usable with systemd, but that's not really a problem with environment variables. _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
