Linux - securing environment variables

Just wondering if there is any way to secure the environment variables in a *nix system such that they can not be read from any plain text file, but is available in the environment.

I know we can always use filesystem level permissions for .bashrc/.bash_profile, but what if certain variables (like db passwords) are to be hidden completely开发者_运维技巧?

One way to do would be to write some sort of program/perl script to:

1. Take inputs from a plain text file and encrypt/hash the content (and then get rid of the plain text file)
2. Use the same to decrypt the file runtime and export the values from the decrypted output (I know this program can be used to dump the decrypted values somewhere, but I am not concerned about that right now)

Is there any other better and more obvious way to achieve this?

Thanks!

-Gaurav

No way. Even if you hide it from text file, it is still available from /proc/<pid>/environ (linux) or ps e (other unix).

Who are you securing them from?

The short answer is "No". The user can see their own environment variables unless you bottle them up so thoroughly that they can never access the shell. But which editor do you let them use? Did you say 'vim'? Oh, they've got access to the shell, after all.

It is sort-of possible, but very indirect. You would need to save the sensitive data into a file readable only by the process that starts the process that needs it in an environment variable. /proc/###/environ is only readable by the user as whom a process is running, so the data is safe there.

But, more directly, the proper method for hiding stuff like database passwords is to save them in a file readable only by the user and/or group that the program reading them runs as. Don't bother passing them in an environment variable (unless you really need to for some reason), just have the process read them from the file.

For example, if you are running a web site and the CGI scripts/binaries are started by Apache, which runs as user:group apache:apache, save the database password that the CGI needs into a file owned by apache:apache with permissions like rw-r----- (640). That way, for somebody to read the file, he needs to either be root, a member of the apache group, or running the read program with an effective user or group of apache.

The only benefit to using environment variables is that you can remove them from the environment before starting a sub-process, whereas if the sub-process is to be owned by the same user, it can read the secured file.

It's not so hard to do. Just put you encrypted password in the file and replace cat file (see below) with whatever program you're using to decrypt it. cat file | decoding software

Those are backtick quotes btw near the tab/esc key. They're used to substitute the output of the command in the area in which they're used.

$ touch file
$ echo "MySecret" > file
$ cat file
MySecret
$ export SECRET=`cat file`
$ echo $SECRET
MySecret

I'm sure a lot of people wonder about this are ones using docker possibly with portainer which posts this sensitive information on screen in the clear, and simply want it hidden from view.

Note: There are other more elaborate methods too.

There's also third party software that do a similar job. https://www.vaultproject.io/ there are others.

Personally I'd rather use use native bash scripting. Naturally you can do something like storing one key on a server and another locally for double security if you wanted.

Code your own authentication server.

Store your variable on a private github repo and use the backticks to read it using git, etc etc.

Code your own Zero Knowledge Proof. Your imagination is the limiting factor.