Re: [systemd-devel] How to get Credential into Environment variable?

2023-11-04 Thread chandler 
Lennart Poettering wrote on 10/24/23 4:51 AM:
>  what you are looking for is not supported and we won't support it, because 
> it defeats one main design goal of credentials: to require access control on 
> access, and not allow "greedy" inheritance down the process tree.
> 
> Sorry if that's disappointing!
> 
> If a service insists on reading its credentials from an env var or cmdline 
> and supports nothing else this is of course disappointing, but it's simply 
> not compatible with the credentials logic, without manual glue scripting.

    I totally agree Lennart!  I was definitely getting frustrated with
the config.  Thank you for making it clear.  Unbelievable an app would
even be coded today with command line options for secrets!  

    The sad part is this particular app is the Telegram Bot API
 and Telegram i thought was
considered one of the groups more focused on security, I guess not in
this case... At least it's open source ... I should be able to just add
a reference to the code somewhere like you said, to
$CREDENTIALS_DIRECTORY/id and $CREDENTIALS_DIRECTORY/hash for example,
somewhere around here

maybe?  

    If you (or anyone else) has any ideas off the top of your heads let
me know.  Otherwise I'll probably be reporting this as an issue looking
for more secure solutions.  Thanks again.

Best,
Chandler

Re: [systemd-devel] How to get Credential into Environment variable?

2023-10-24 Thread Lennart Poettering 
On Di, 26.09.23 04:39, chandler (s...@riseup.net) wrote:

> Hi all,
>
>     I'm not quite grasping something here... I've just learned about
> `systemd-creds` and now trying to utilize it with a service which
> depends on a secret stored in an environment variable (or passed as a
> CLI option).
>
> Normally I could use a line like:
>
> `Environment=SEC=1234`
>
> Now I've:
>
> 1) Given "1234" to `systemd-ask-password -n | systemd-creds encrypt
> --name=secret --pretty - -`
> 2) Put the resulting `SetCredentialEncrypted=secret: ...` under the
> [Service] section
> 3) Failing with `Environment=SEC=%d/secret`
>
> Now `SEC=/run/credentials/myService.service/secret` but I need the value
> from the file, which I verified with a simple `ExecStart=checkEnv.sh`
> which runs `cat ${SEC}` which prints `1234`.
>
> Also tried putting the secret, e.g. "1234", into a temp file `/tmp/sec`
> and ran:
>
> `systemd-creds encrypt --name=secret --pretty /tmp/sec -`
>
> but the results are the same.
>
> How to get `SEC=1234` basically?

The credentials logic is supposed to be used *in* *place* of
environment variables. Environment variables are an awful way to pass
credentials to services, since their are inherited down the process
tree even across security boundaries by default, and there's zero
access control on them. (and they are not really compatible with
binary data or larger data, and so on)

Hence, what you are looking for is not supported and we won't support
it, because it defeats one main design goal of credentials: to require
access control on access, and not allow "greedy" inheritance down the
process tree.

Sorry if that's disappointing!

If a service insists on reading its credentials from an env var or
cmdline and supports nothing else this is of course disappointing, but
it's simply not compatible with the credentials logic, without manual
glue scripting.

We generally recommend that services support reading the credentials
from files (in which case you can point them to
$CREDENTIALS_DIRECTORY/ to read what they want), or even better:
just natively support credentials by looking at $CREDENTIALS_DIRECTORY
on their own, without being told so.

If you have an app that doesn't allow either, and really and only
wants env vars or cmdline params, then you can script around this,
with a script like this:

```c
#!/bin/bash

read -r MYCRED < "$CREDENTIALS_DIRECTORY"/mycred
export MYCRED

exec mybinary
```

you get the idea.

Lennart

--
Lennart Poettering, Berlin

Re: [systemd-devel] How to get Credential into Environment variable?

2023-10-21 Thread chandler 
Well over the past month I've searched and searched and read and read
but there appears to be no way to use `Environment` or `EnvironmentFile`
options when using encrypted credentials.  Can't use `ExecStartPre`
either.  I'm sick of all the trial and error at this point, my original
thought is the only way I've figured to do this:

1) Use `SetCredentialEncrypted=secret: [...]`
2) `ExecStart` option has to be something like this then:
`ExecStart=/usr/bin/sh -c 'SEC=$(cat %d/secret)  mySvc '`

I don't think this poses any security concerns as far as leaking `$SEC`
or `%d/secret` to regular users on the system, but let me know if you
notice anything.  `DynamicUser=true` is set.  `systemctl status
mySvc.service` shows:

CGroup: /system.slice/mySvc.service
├─ /usr/bin/sh -c "SEC=\"\$(cat
/run/credentials/mySvc.service/secret)\"   mySvc "

As a regular user `systemctl show mySvc.service` has a similar entry
for `ExecStart` and `ExecStartEx` options.

Likewise, `ps` shows `/usr/bin/sh -c SEC="$(cat
/run/credentials/mySvc.service/secret)"`.

Finally, `/proc/` has a number of files with o+r permission.  Not
sure where any leaks could be there besides `environ` file, which does
have `SEC=1234` in it but with restrictive mode 600 on it too.



chandler wrote on 9/26/23 4:39 AM:
> Hi all,
> 
>     I'm not quite grasping something here... I've just learned about
> `systemd-creds` and now trying to utilize it with a service which
> depends on a secret stored in an environment variable (or passed as a
> CLI option).
> 
> Normally I could use a line like:
> 
> `Environment=SEC=1234`
> 
> Now I've:
> 
> 1) Given "1234" to `systemd-ask-password -n | systemd-creds encrypt
> --name=secret --pretty - -`
> 2) Put the resulting `SetCredentialEncrypted=secret: ...` under the
> [Service] section
> 3) Failing with `Environment=SEC=%d/secret`
> 
> Now `SEC=/run/credentials/myService.service/secret` but I need the value
> from the file, which I verified with a simple `ExecStart=checkEnv.sh`
> which runs `cat ${SEC}` which prints `1234`.
> 
> Also tried putting the secret, e.g. "1234", into a temp file `/tmp/sec`
> and ran:
> 
> `systemd-creds encrypt --name=secret --pretty /tmp/sec -`
> 
> but the results are the same.
> 
> How to get `SEC=1234` basically?  I have to use `ExecStartPre=` and run
> a pre-script that defines `SEC` with shell code?  Something like
> `SEC=$(cat %d/secret)` is all that's needed right?  Or it needs to be
> exported too at this point?  Doesn't that defeat the purpose of
> `systemd-creds` now?  Maybe I can just put that in the `ExecStart=` line
> instead... will keep trying in the mean time
> 
> Thanks
>

[systemd-devel] How to get Credential into Environment variable?

2023-09-26 Thread chandler 
Hi all,

    I'm not quite grasping something here... I've just learned about
`systemd-creds` and now trying to utilize it with a service which
depends on a secret stored in an environment variable (or passed as a
CLI option).

Normally I could use a line like:

`Environment=SEC=1234`

Now I've:

1) Given "1234" to `systemd-ask-password -n | systemd-creds encrypt
--name=secret --pretty - -`
2) Put the resulting `SetCredentialEncrypted=secret: ...` under the
[Service] section
3) Failing with `Environment=SEC=%d/secret`

Now `SEC=/run/credentials/myService.service/secret` but I need the value
from the file, which I verified with a simple `ExecStart=checkEnv.sh`
which runs `cat ${SEC}` which prints `1234`.

Also tried putting the secret, e.g. "1234", into a temp file `/tmp/sec`
and ran:

`systemd-creds encrypt --name=secret --pretty /tmp/sec -`

but the results are the same.

How to get `SEC=1234` basically?  I have to use `ExecStartPre=` and run
a pre-script that defines `SEC` with shell code?  Something like
`SEC=$(cat %d/secret)` is all that's needed right?  Or it needs to be
exported too at this point?  Doesn't that defeat the purpose of
`systemd-creds` now?  Maybe I can just put that in the `ExecStart=` line
instead... will keep trying in the mean time

Thanks