Closed de-jcup closed 4 years ago
Obsolete, because somebody having access to process list of another user has normally admin rights. Having admin rights you can do - at least on linux:
sudo cat /proc/$PID/environ
should be possible at windows as well, so makes no difference.
I would like to reopen this issue as the closing reason is not correct:
ps aux
on a linux server and see all processes of all users, even root
. /proc/$PID/environ
of a process of another user: The file is owned by the user that has started the process and the file permissions allow only read access by the owner of the file.root
I can access the environ
file for every process - but I think there is no way of hiding an API key for admins.Therefore it would be a security enhancement to store the API token in an environment variable instead of giving it to the SecHub client as a command line parameter, as at least non-admin users would not be able to access the API token.
Andreas thank you ! You are absolutely right... will reopen issue and integrate into next release.
Created branch feature-36-api-token-as-env-variable
Currently we got same situation for go client as for admin ui, see #8 : Everybody able to see processes on server side does also see api token used by calling sechub client.
SECHUB_APITOKEN environment shall be an addition to existing code. It shall be downward compatible. But a warning should be printed out when user is using argument instead of env entry.