Best practice for managing secrets (passwords, private keys) used by Python scripts running as daemons
Chris Angelico
rosuav at gmail.com
Sat Mar 24 15:41:21 EDT 2018
On Sun, Mar 25, 2018 at 4:24 AM, Peter J. Holzer <hjp-python at hjp.at> wrote:
> On 2018-03-23 11:50:52 -0700, Dan Stromberg wrote:
>> I'd put them in a file with access to the daemon..
>>
>> Putting credentials in an environment variable is insecure on Linux,
>> because ps auxwwe lists environment variables.
>
> But only those of your own processes. So both methods are about equally
> secure: If you can become the daemon user (or root), then you can read
> the secret.
If you can become the daemon user, you can do whatever the daemon user
can. (Do people ever write HTTP crawler scripts that run as user
"spiderman"? Yeah, probably.) So, pretty much _by definition_, both
methods are insecure there. (And obviously if you can become root,
everything's wiiiiiide open.) Normally, I would consider that to be
fine; proper use of Unix user isolation is usually sufficient. But if
you are absolutely crazily paranoid, you CAN try other methods; just
be aware that whatever you do is going to move the problem around, not
solve it. First thing that comes to my mind is storing the secret on a
completely separate computer, and the daemon establishes a socket
connection to that computer to request the secret. If another process
attempts to get the secret, the secret-manager first pings its
existing socket, saying "hey, you okay there?", and then between you,
you decide what to do.
Could be fun to mess around with, but normally I would just depend on
file and process ownership.
ChrisA
More information about the Python-list
mailing list