Closed de-jcup closed 4 years ago
de-jcup
commented
5 years ago Obsolete, because somebody having access to process list of another user has normally admin rights. Having admin rights you can do - at least on linux:
sudo cat /proc/$PID/environ
should be possible at windows as well, so makes no difference.
ghost
commented
4 years ago I would like to reopen this issue as the closing reason is not correct:
ps aux on a linux server and see all processes of all users, even root. /proc/$PID/environ of a process of another user: The file is owned by the user that has started the process and the file permissions allow only read access by the owner of the file.root I can access the environ file for every process - but I think there is no way of hiding an API key for admins.Therefore it would be a security enhancement to store the API token in an environment variable instead of giving it to the SecHub client as a command line parameter, as at least non-admin users would not be able to access the API token.
de-jcup
commented
4 years ago Andreas thank you ! You are absolutely right... will reopen issue and integrate into next release.
sven-dmlr
commented
4 years ago Created branch feature-36-api-token-as-env-variable
Currently we got same situation for go client as for admin ui, see #8 : Everybody able to see processes on server side does also see api token used by calling sechub client.
SECHUB_APITOKEN environment shall be an addition to existing code. It shall be downward compatible. But a warning should be printed out when user is using argument instead of env entry.