Closed puzzle-star closed 4 months ago
vi
commented
4 months ago Are environment variables better protected than command line arguments? Or the latter just catch one's attection in top output while the former require to dig though /proc/N/environ?
Typically secrets are moved from program arguments to files to avoid exposure, not to envvars as far as I know.
puzzle-star
commented
4 months ago Normally, env variables are not accessible in /proc by default to other users, while command line parameters are.
This can be configured, but it is common to allow use of ps tools without restrictions to users to see command line, without causing major security concerns as far as credentials are not passed, while leaving env access closed.
Accepting creds in a file would be 100% perfect, and indeed the solution "by the book". Just asked for env as it is probably more straight forward to implement, and secure enough (at least for me).
Saludos, Pedro
From: Vitaly Shukela @.> Sent: Monday, May 6, 2024 12:45:57 PM To: vi/websocat @.> Cc: Pedro Garcia @.>; Author @.> Subject: Re: [vi/websocat] Consider allowing basic auth to be passed in environment variable to hide it from the rest of users (Issue #240)
Are environment variables better protected than command line arguments? Or the latter just catch one's attection in top output while the former require to dig though /proc/N/environ?
Typically secrets are moved from program arguments to files to avoid exposure, not to envvars as far as I know.
— Reply to this email directly, view it on GitHubhttps://github.com/vi/websocat/issues/240#issuecomment-2095715917, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGGVBNO3B2ZLUHX3ZDNT6P3ZA5NOLAVCNFSM6AAAAABHHRFQKGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJVG4YTKOJRG4. You are receiving this because you authored the thread.Message ID: @.***>
puzzle-star
commented
4 months ago Just an addition to my last comment: it's also common to pass credentials in environment in general use tools (i.e. curl)
Environment in /proc is generally only readable by owner user
Saludos, Pedro
From: Vitaly Shukela @.> Sent: Monday, May 6, 2024 12:45:57 PM To: vi/websocat @.> Cc: Pedro Garcia @.>; Author @.> Subject: Re: [vi/websocat] Consider allowing basic auth to be passed in environment variable to hide it from the rest of users (Issue #240)
Are environment variables better protected than command line arguments? Or the latter just catch one's attection in top output while the former require to dig though /proc/N/environ?
Typically secrets are moved from program arguments to files to avoid exposure, not to envvars as far as I know.
— Reply to this email directly, view it on GitHubhttps://github.com/vi/websocat/issues/240#issuecomment-2095715917, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGGVBNO3B2ZLUHX3ZDNT6P3ZA5NOLAVCNFSM6AAAAABHHRFQKGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJVG4YTKOJRG4. You are receiving this because you authored the thread.Message ID: @.***>
puzzle-star
commented
4 months ago Working as expected, thanks!
Currently, client basic auth can be passed with --basic-auth parameter. This allows, anyway, the passed credentials to be seen by any user.
Could you please consider allowing the same value to be passed as environment variable to hide it from the rest of the users? (i.e. WEBSOCAT_BASIC_AUTH)