Environment variables after all suck for passing secrets, since they are by default inherited down the process tree, even across privilege changes, are placed in swappable memory, cannot be recalled, have no access control concept (i.e. not locked to the UID/GID) and so on.
There's one particularly nice facet of systemd's credentials concept: they are not just *service* credentials, but also *system* credentials.
Lennart Poettering /
npub1rk…qzenj
2024-04-30 08:26:55
in reply to nevent1q…89dn
Author Public Key
npub1rk2uxtv6nk262nucavh259t085a8rhzfaj3vjc9jhzvkyav0rnqqxqzenjPublished at
2024-04-30 08:26:55Event JSON
{
"id": "aa9349c2f5ed4f61b6fa469f1810da6b6daaa50f72e8ad3bbe14f4e75b5e31c8",
"pubkey": "1d95c32d9a9d95a54f98eb2eaa156f3d3a71dc49eca2c960b2b89962758f1cc0",
"created_at": 1714465615,
"kind": 1,
"tags": [
[
"e",
"a40db52734e865d08b4a42390e7088a1df821019df7208c671d20839db2e7dd4",
"wss://relay.mostr.pub",
"reply"
],
[
"proxy",
"https://mastodon.social/users/pid_eins/statuses/112359218550740841",
"activitypub"
]
],
"content": "Environment variables after all suck for passing secrets, since they are by default inherited down the process tree, even across privilege changes, are placed in swappable memory, cannot be recalled, have no access control concept (i.e. not locked to the UID/GID) and so on.\n\nThere's one particularly nice facet of systemd's credentials concept: they are not just *service* credentials, but also *system* credentials.",
"sig": "fb9f39f8e4a75d56ddcff465022fcf43beef400e219c2629bd0c7149eea68960690f55164078913cf45eb7dd860055a5f0129c124ab4deee31c2b1cc6f9ad0d9"
}