Lennart Poettering on Nostr: Environment variables after all suck for passing secrets, since they are by default ...
Environment variables after all suck for passing secrets, since they are by default inherited down the process tree, even across privilege changes, are placed in swappable memory, cannot be recalled, have no access control concept (i.e. not locked to the UID/GID) and so on.
There's one particularly nice facet of systemd's credentials concept: they are not just *service* credentials, but also *system* credentials.
Published at
2024-04-30 08:26:55Event JSON
{
"id": "aa9349c2f5ed4f61b6fa469f1810da6b6daaa50f72e8ad3bbe14f4e75b5e31c8",
"pubkey": "1d95c32d9a9d95a54f98eb2eaa156f3d3a71dc49eca2c960b2b89962758f1cc0",
"created_at": 1714465615,
"kind": 1,
"tags": [
[
"e",
"a40db52734e865d08b4a42390e7088a1df821019df7208c671d20839db2e7dd4",
"wss://relay.mostr.pub",
"reply"
],
[
"proxy",
"https://mastodon.social/users/pid_eins/statuses/112359218550740841",
"activitypub"
]
],
"content": "Environment variables after all suck for passing secrets, since they are by default inherited down the process tree, even across privilege changes, are placed in swappable memory, cannot be recalled, have no access control concept (i.e. not locked to the UID/GID) and so on.\n\nThere's one particularly nice facet of systemd's credentials concept: they are not just *service* credentials, but also *system* credentials.",
"sig": "fb9f39f8e4a75d56ddcff465022fcf43beef400e219c2629bd0c7149eea68960690f55164078913cf45eb7dd860055a5f0129c124ab4deee31c2b1cc6f9ad0d9"
}