Best practice for managing secrets (passwords, private keys) used by Python scripts running as daemons
Peter J. Holzer
hjp-python at hjp.at
Sat Mar 24 13:24:56 EDT 2018
On 2018-03-23 11:50:52 -0700, Dan Stromberg wrote:
> I'd put them in a file with access to the daemon..
>
> Putting credentials in an environment variable is insecure on Linux,
> because ps auxwwe lists environment variables.
But only those of your own processes. So both methods are about equally
secure: If you can become the daemon user (or root), then you can read
the secret.
(Historically, many unixes allowed all users to read the environment
variables of all processes. I don't know if this is still the case for
e.g. Solaris or AIX - or macOS)
hp
--
_ | Peter J. Holzer | we build much bigger, better disasters now
|_|_) | | because we have much more sophisticated
| | | hjp at hjp.at | management tools.
__/ | http://www.hjp.at/ | -- Ross Anderson <https://www.edge.org/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-list/attachments/20180324/b8c44cd8/attachment.sig>
More information about the Python-list
mailing list