Security issues related to storing secrets in scripts

1

Let's say you have a program you want to run unattended, as root, which requires a secret (such as a passphrase; something you don't want other people to find out), which can be read from an environment variable. One way of accomplishing this would be to create a script like the following, and run it from root's crontab.

#!/bin/bash
export SECRET='my_secret'
/usr/bin/some_program
export SECRET=

Okay, so I can think of two security issues here.

First, someone could find the value of $SECRET by reading the script. Using chmod 700 should take care of that.

Second, someone could use something like ps ae while some_program is running. However, if the script is running as root, only root (or sudoers) can see its environment, right?

Am I correct in believing the value of $SECRET can only be found by root or sudoers? Are there other security issues?

And, to make all this a little less abstract, this is what got me thinking.

sarnesjo

Posted 2009-11-06T20:44:47.347

Reputation: 113

Answers

0

Is this a script that will only ever run on your own box?

Modern Linux defaults environment variables to only being visible to root or yourself, but that's not portable. Various other OSes either can't filter them, or don't filter them by default.

Phil P

Posted 2009-11-06T20:44:47.347

Reputation: 1 773

Ah, there we go. Now I see why this would be a security problem in the general case. (In my case, this script will only ever run on my box.) – sarnesjo – 2010-01-03T15:56:04.353

0

My first thoughts would be to avoid exporting pass-phrases at all times.
duplicity seems has an option '--use-agent' that might help here.

If this option is specified, then '--use-agent' is passed to the GnuPG encryption process and it will turn off any passphrase interaction with the user with respect to '--encrypt-key' or '--sign-key'.

Update: These are my biased opinions.

  • A script should not cause security information to be exported in to the environment
  • If you are not working with a special application (like duplicity),
    it would be easier to avoid the problem from my previous point by just shifting to the user-agent based mechanism (ssh has one for example, and I expected duplicity to have one -- which it did)
  • the secret information is better (in a relative sense) protected with unix-access attributes under the application private data (I refer to things like .ssh/id_dsa)

nik

Posted 2009-11-06T20:44:47.347

Reputation: 50 788

I have some gripes with that answer. ;)

  1. It didn't answer my question. I am not trying to make some script more secure, I am trying to understand if and why I should. Sorry if my question was unclear.

  2. It only addresses the specific situation where some_program is duplicity.

    3. < – sarnesjo – 2009-11-07T14:05:06.397

Asked: 2009-11-06T20:44:47.347

Viewed: 131 times

Active: 2009-12-10T09:18:56.997