From I've read about current best practices for developing web applications (such as the Twelve Factor guide), the recommended approach for storing configuration data is within environment variables. This is specifically contrasted from keeping them inside configuration files, as those are often accidentally checked into the project's repository, breaking the "code/config" separation, and potentially exposing secrets (such as API keys, salts, etc.).
However, what I haven't seen addressed is the defense against accidental exposure. When using configuration files, one can set up file permissions accordingly, preventing anyone but specific users from reading the secret configuration. But Unix systems do not seem to offer such protection for the environment variables of a process -- even if the process is started by different user:
$ sudo -u root x=5 sleep 30
$ ps au -E | grep sleep # in different terminal
root 53814 s003 S+ 0:00.01 sudo -u root x=5 sleep 30
Should the x variable contain sensitive data, it would be possible to read it just by having login access to the machine, as any user (not necessarily as root, or the user who started the process we want to snoop on). Therefore, this approach to config seems less secure (from the defense-in-depth PoV; obviously, the machine should be protected from unauthorized access) than configuration files -- unless we can somehow protect the environment variables.
My question is thus: is there a way to prevent other users on the same Unix system from seeing the environment variables of a process (through ps a -E and any other possible means)?
Aucun commentaire:
Enregistrer un commentaire