Consider allowing basic auth to be passed in environment variable to hide it from the rest of users #240
Comments
|
Are environment variables better protected than command line arguments? Or the latter just catch one's attection in Typically secrets are moved from program arguments to files to avoid exposure, not to envvars as far as I know. |
|
Normally, env variables are not accessible in /proc by default to other users, while command line parameters are.
This can be configured, but it is common to allow use of ps tools without restrictions to users to see command line, without causing major security concerns as far as credentials are not passed, while leaving env access closed.
Accepting creds in a file would be 100% perfect, and indeed the solution "by the book". Just asked for env as it is probably more straight forward to implement, and secure enough (at least for me).
Saludos,
Pedro
…________________________________
From: Vitaly Shukela ***@***.***>
Sent: Monday, May 6, 2024 12:45:57 PM
To: vi/websocat ***@***.***>
Cc: Pedro Garcia ***@***.***>; Author ***@***.***>
Subject: Re: [vi/websocat] Consider allowing basic auth to be passed in environment variable to hide it from the rest of users (Issue #240)
Are environment variables better protected than command line arguments? Or the latter just catch one's attection in top output while the former require to dig though /proc/N/environ?
Typically secrets are moved from program arguments to files to avoid exposure, not to envvars as far as I know.
—
Reply to this email directly, view it on GitHub<#240 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AGGVBNO3B2ZLUHX3ZDNT6P3ZA5NOLAVCNFSM6AAAAABHHRFQKGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJVG4YTKOJRG4>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
Just an addition to my last comment: it's also common to pass credentials in environment in general use tools (i.e. curl)
Environment in /proc is generally only readable by owner user
Saludos,
Pedro
…________________________________
From: Vitaly Shukela ***@***.***>
Sent: Monday, May 6, 2024 12:45:57 PM
To: vi/websocat ***@***.***>
Cc: Pedro Garcia ***@***.***>; Author ***@***.***>
Subject: Re: [vi/websocat] Consider allowing basic auth to be passed in environment variable to hide it from the rest of users (Issue #240)
Are environment variables better protected than command line arguments? Or the latter just catch one's attection in top output while the former require to dig though /proc/N/environ?
Typically secrets are moved from program arguments to files to avoid exposure, not to envvars as far as I know.
—
Reply to this email directly, view it on GitHub<#240 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AGGVBNO3B2ZLUHX3ZDNT6P3ZA5NOLAVCNFSM6AAAAABHHRFQKGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJVG4YTKOJRG4>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
Working as expected, thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, client basic auth can be passed with --basic-auth parameter. This allows, anyway, the passed credentials to be seen by any user.
Could you please consider allowing the same value to be passed as environment variable to hide it from the rest of the users? (i.e. WEBSOCAT_BASIC_AUTH)
The text was updated successfully, but these errors were encountered: