bash Linux - 保护环境变量
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4129631/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Linux - securing environment variables
提问by Gaurav
Just wondering if there is any way to secure the environment variables in a *nix system such that they can not be read from any plain text file, but is available in the environment.
只是想知道是否有任何方法可以保护 *nix 系统中的环境变量,使其无法从任何纯文本文件中读取,但在环境中可用。
I know we can always use filesystem level permissions for .bashrc/.bash_profile, but what if certain variables (like db passwords) are to be hidden completely?
我知道我们总是可以对 .bashrc/.bash_profile 使用文件系统级别的权限,但是如果要完全隐藏某些变量(如数据库密码)怎么办?
One way to do would be to write some sort of program/perl script to:
一种方法是编写某种程序/perl 脚本来:
- Take inputs from a plain text file and encrypt/hash the content (and then get rid of the plain text file)
- Use the same to decrypt the file runtime and export the values from the decrypted output (I know this program can be used to dump the decrypted values somewhere, but I am not concerned about that right now)
- 从纯文本文件中获取输入并加密/散列内容(然后删除纯文本文件)
- 使用相同的方法解密文件运行时并从解密的输出中导出值(我知道这个程序可以用来将解密的值转储到某处,但我现在不关心这个)
Is there any other better and more obvious way to achieve this?
有没有其他更好、更明显的方法来实现这一目标?
Thanks!
谢谢!
-Gaurav
-高拉夫
回答by J-16 SDiZ
No way. Even if you hide it from text file, it is still available from /proc/<pid>/environ(linux) or ps e(other unix).
没门。即使您从文本文件中隐藏它,它仍然可以从/proc/<pid>/environ(linux) 或ps e(其他 unix) 中获得。
回答by Jonathan Leffler
Who are you securing them from?
你从谁那里保护他们?
The short answer is "No". The user can see their own environment variables unless you bottle them up so thoroughly that they can never access the shell. But which editor do you let them use? Did you say 'vim'? Oh, they've got access to the shell, after all.
最简洁的答案是不”。用户可以看到他们自己的环境变量,除非您将它们完全封装到他们永远无法访问 shell。但是您让他们使用哪个编辑器?你说的是“vim”吗?哦,毕竟他们可以访问外壳。
回答by Jonathan
It is sort-of possible, but very indirect. You would need to save the sensitive data into a file readable only by the process that starts the process that needs it in an environment variable. /proc/###/environis only readable by the user as whom a process is running, so the data is safe there.
这有点可能,但非常间接。您需要将敏感数据保存到一个文件中,该文件只能由启动需要它的进程的进程在环境变量中读取。/proc/###/environ只能由正在运行进程的用户读取,因此数据在那里是安全的。
But, more directly, the proper method for hiding stuff like database passwords is to save them in a file readable only by the user and/or group that the program reading them runs as. Don't bother passing them in an environment variable (unless you really need to for some reason), just have the process read them from the file.
但是,更直接地,隐藏诸如数据库密码之类的东西的正确方法是将它们保存在一个文件中,该文件只能由读取它们的程序运行的用户和/或组读取。不要费心将它们传递到环境变量中(除非您出于某种原因确实需要这样做),只需让进程从文件中读取它们即可。
For example, if you are running a web site and the CGI scripts/binaries are started by Apache, which runs as user:group apache:apache, save the database password that the CGI needs into a file owned by apache:apachewith permissions like rw-r-----(640). That way, for somebody to read the file, he needs to either be root, a member of the apachegroup, or running the read program with an effective user or group of apache.
例如,如果你正在运行一个网站,并在CGI脚本/二进制文件是由Apache的,它运行的用户开始:组apache:apache,保存数据库密码的CGI需求成拥有的文件apache:apache中包含的权限rw-r-----(640)。这样,对于读取文件的人来说,他需要是root,apache组的成员,或者以有效用户或apache.
The only benefit to using environment variables is that you can remove them from the environment before starting a sub-process, whereas if the sub-process is to be owned by the same user, it can read the secured file.
使用环境变量的唯一好处是您可以在启动子进程之前将它们从环境中删除,而如果子进程由同一用户拥有,它可以读取受保护的文件。
