On 24/03/18 20:41, Chris Angelico wrote: > On Sun, Mar 25, 2018 at 4:24 AM, Peter J. Holzer <hjp-pyt...@hjp.at> wrote: >> On 2018-03-23 11:50:52 -0700, Dan Stromberg wrote: >>> I'd put them in a file with access to the daemon.. >>> >>> Putting credentials in an environment variable is insecure on Linux, >>> because ps auxwwe lists environment variables. >> >> But only those of your own processes. So both methods are about equally >> secure: If you can become the daemon user (or root), then you can read >> the secret. > > If you can become the daemon user, you can do whatever the daemon user > can.
If you're using something like SELinux, I don't think that's *necessarily* true (but I really don't know much about SELinux). Normally, though, I should think that protecting the secret with user isolation (e.g. by putting it into a file with the right permissions) should be fine. Environment variables should be fine too, but really this just moves the problem up one level: where does the parent process get the secret when it sets up the environment? -- https://mail.python.org/mailman/listinfo/python-list
