Questions tagged [environment-variables]
36 questions
48
votes
10 answers
Global variables and information security
I get the impression that it is a programming best practice to create variables in specific scopes (like a function scope) and avoid global scope to make things more modular and better organized. However I'm not sure if there is also a security…
user123574
24
votes
1 answer
Is it unsafe to use environmental variables for secret data?
After reading this blog post in which the author lays out arguments against using environmental variables for storing secrets, I am unsure how to proceed with deploying my application.
His primary arguments are as follows:
Given that the…
temporary_user_name
- 436
- 1
- 5
- 15
20
votes
3 answers
Some folders in the PATH variable are writable by anyone. Dangerous or not?
I noticed that some folders in the PATH environment variable (e.g. C:\Python) give write privileges to anyone on the machine, including users without Admin rights. I understand that people can probably modify the Python executables and things in…
Shao Kun Deng
- 309
- 2
- 3
18
votes
1 answer
What security advantages does Hashicorp Vault have over storing secrets (passwords, API keys) in environment variables?
There seems to be a general recommendation to store secrets in the Hashicorp Vault instance (or similar key-management software) and avoid passing secrets via environment variables.
In what particular scenarios using Vault is better from security…
user148622
- 183
- 1
- 4
8
votes
1 answer
Ordering of the PATH environment variable
Locally here on Ubuntu 14.04, my $PATH looks something like this:
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games"
When I manually define the path for cron jobs or in Puppet/Ansible provisioning…
Naftuli Kay
- 6,715
- 9
- 47
- 75
6
votes
2 answers
How to securely store secrets in Docker container?
The application I'm working on has more than a dozen of secrets, SSL certificates and API keys. Currently I have a file that's added into .gitignore and it contains all my secrets. How to securely store all these secrets? How enterprise apps handle…
roman
- 313
- 2
- 6
5
votes
2 answers
Azure Key Vault vs Azure Environment Variables - Which is the right way?
I've read a lot on the new Azure Key Vault feature and it does have some valid use cases. However in the case of a simple web app I don't see the benefit of using environment variables which can be configured in the portal.
If a hacker has access to…
Igliv
- 361
- 1
- 10
4
votes
1 answer
What are some vulnerabilities of environment variables (on any platform)?
I am writing a small cross platform Python application (a package manager to be used internally by my corp), and I'm thinking of using something similar to this answer on Stack Overflow to check for administrator/root privileges. I noticed the…
nerflad
- 41
- 1
- 4
3
votes
0 answers
Are environmental variables for web PaaS a bad security smell?
I'm seeing a trend for deploying web apps to PaaS that the config is typically defined in environmental variables. e.g. Azure Functions or .net core apis
Assuming this has been done to follow good practice to ensure secrets do not end up in code /…
Alex KeySmith
- 319
- 1
- 9
3
votes
3 answers
Plain text Rails environment variables and security
I work for a healthcare company that emphasizes security, due to the sensitivity of the data that we work with. Recently, we've been doing a lot of auditing (internal and external) of our current "stack" to ensure that we're compliant with various…
RonMexico
- 31
- 1
3
votes
1 answer
What's the motivation for excluing /usr/local/bin from root's PATH?
I just discovered that root's PATH on CentOS does not include /usr/local/bin.
What's the rationale for this? I'm tempted to add it to the PATH but I don't know what vulnerabilities that might introduce.
spraff
- 305
- 2
- 9
2
votes
1 answer
ld.so Secure-execution mode a valid mitigation for polkit CVE-2021-4034?
I was browsing the ld.so man page and I saw an entry about Secure-Execution mode:
**Secure-execution mode**
For security reasons, if the dynamic linker determines that a binary
should be run in secure-execution mode, the effects of…
linuxuser8
- 21
- 1
2
votes
1 answer
Why is the setuid bit not working when I execute this binary?
I am currently going through the Narnia challenges on overthewire.org. For the 1-->2 challenge, I am running into an issue that I can't seem to get around. Basically there is a C program called narnia1 that has the setuid bit set. This is the code…
Joel B.
- 21
- 2
2
votes
0 answers
Is it safe to retrieve GnuPG public/secret key with fs in Node.js?
So there is a Node.js package openpgp which is available for signing documents with GPG, but it requires public/secret key. We all know putting key right into the file is dangerous and not recommend under production and usually we'll use envrionment…
Andrew.Wolphoe
- 223
- 1
- 8
2
votes
0 answers
Protecting the password in a PBE scheme for an application
I am currently formulating security best practices and requirements for ongoing Java software development in my department and have settled with a recommendation of using the Jasypt framework for encryption/decryption of service account credentials…
maple_shaft
- 1,092
- 1
- 8
- 18