Prevent logging of environmental variables in sudo

Craig Francis asked:

I’m trying to provide a secret value to a script, via an environmental variable, but not have it logged by sudo in auth.log.

At the moment I have the file:

/etc/secret-key
export SECRET_CONFIG_KEY=K1PX7MZ8an8H2mRQR

This file is owned by root:root (0400).

Using cron and sudo, I can run the script under the www-data user, and provide this value.

5 * * * * root . /etc/secret-key; sudo -u www-data --preserve-env=SECRET_CONFIG_KEY /path/to/script

But the auth.log file then contains lines such as:

Aug 19 18:30:01 server sudo: root : TTY=unknown ; PWD=/root ; USER=www-data ; ENV=SECRET_CONFIG_KEY=K1PX7MZ8an8H2mRQR ; COMMAND=/path/to/script

Which is readable by anyone in the adm group, and emailed to me every day via LogWatch.


I’m happy to consider alternative approaches.

The main feature is providing this secret value to a script, using the www-data account, where that account is only given access to this value as needed (the account should not have read access to the secret-key file).

As a side note, the www-data account cannot edit any of its scripts, the account is only used to run them.

My answer:


You should probably be using su rather than sudo for this.

Consider something like:

su www-data -w SECRET_CONFIG_KEY -c /path/to/script

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.