![]() ![]() You can then lock down access to the secret like you would access to the root account. Use the same filename in production but it will be in the home directory of the account that runs the command in production. The benefit of this approach is you can arrange it so the secret can be hidden in production. This might be troublesome if there is a non-optional arg that has to appear after -password One limitation is that the <<string has to be the last argument given to the command. Works if the command can accept the secret from std-in. app.config #sets the environment variables ![]() ![]() Works if you have control of the code (e.g. Works if the command prompts for the password from stdin AND if 'echo' is a builtin of your shell. Load the config file so the environment variable gets set. The file needs to be in the home directory of the user running the command. Inside the file set an environment variable to the secret. Set the permissions of the file to be read-only by owner. If the secret doesn't change between executions, use a special configuration file, ".appsecrets". M圜ommand <( s=$secret printenv s ) # approach 3Įxport secret & m圜ommand # another variation of approach 4 S=$secret printenv s | m圜ommand # approach 2 You can avoid this by either running the command from a script (file), or by interactively prompting yourself for password each time: read -s secret In all of the above approaches, be wary of leaving the command in bash command history ( ~/.bash_history). In the last case your program will be launched like m圜ommand /dev/fd/67, where the contents of /dev/fd/67 is your secret ( hello-neo in this example). Use temporary file descriptor: m圜ommand <( mySecret='hello-neo' printenv mySecret ) If your program can read them, do this: mySecret='hello-neo' m圜ommand Use environment variables ( with caveats). Use a dedicated file if you want to keep the secret detached from the main script (note that you'd be recommended to use full disc encryption and make sure the file has correct chmod permissions): cat /my/secret | m圜ommand Use standard input: mySecret='hello-neo' printenv mySecret | m圜ommand Good news is that you can still have a secret by using alternatives: They will still be visible to other users via ps aux and cat /proc/$YOUR_PROCESS_PID/cmdline at the time of launching the program (before the program has a chance to do run-time changes to arguments). ![]() O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.First, you can NOT hide command line arguments. Get Linux Pocket Guide now with the O’Reilly learning platform. Remember, you can extract information more finely from the output of ps using grep or other filter programs. Particular processes 1, 2, and 3505: $ ps -p1,2,3505Īll processes with command lines truncated to screen width: $ ps -efĪll processes with full command lines: $ ps -efwwĪnd all processes in a threaded view, which indents child processes below their parents: $ ps -efH If the options seem arbitrary or inconsistent, it’s because the supplied ps command (GNU ps) incorporates the features of several other Unix ps commands, attempting to be compatible with all of them.Īll of user smith’s processes: $ ps -U smithĪll occurrences of a program: $ ps -C program_name Ps has at least 80 options we’ll cover just a few useful combinations. The ps command displays information about your running processes, and optionally the processes of other users. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |