Craig Francis asked:
I’m trying to provide a secret value to a script, via an environmental variable, but not have it logged by
At the moment I have the file:
/etc/secret-key export SECRET_CONFIG_KEY=K1PX7MZ8an8H2mRQR
This file is owned by root:root (0400).
sudo, I can run the script under the
www-data user, and provide this value.
5 * * * * root . /etc/secret-key; sudo -u www-data --preserve-env=SECRET_CONFIG_KEY /path/to/script
auth.log file then contains lines such as:
Aug 19 18:30:01 server sudo: root : TTY=unknown ; PWD=/root ; USER=www-data ; ENV=SECRET_CONFIG_KEY=K1PX7MZ8an8H2mRQR ; COMMAND=/path/to/script
Which is readable by anyone in the
adm group, and emailed to me every day via LogWatch.
I’m happy to consider alternative approaches.
The main feature is providing this secret value to a script, using the
www-data account, where that account is only given access to this value as needed (the account should not have read access to the secret-key file).
As a side note, the
www-data account cannot edit any of its scripts, the account is only used to run them.
You should probably be using
su rather than
sudo for this.
Consider something like:
su www-data -w SECRET_CONFIG_KEY -c /path/to/script
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.