Writing a runit script for a program that requires a passphrase

483 views Asked by At

I wrote a python program that requires a passphrase to run, and I would like to securely read the passphrase at startup. I would also like to supervise this program with runit.

So far, my program reads the passphrase from the environment variable "PASSPHRASE". I was planning to start it in such a way that runit would set the variable at startup:

# !/bin/bash
# file /etc/sv/mypgrm/run
read -s -p "passphrase :" passphrase
exec 2>&1
exec chpst env PASSPHRASE=$passphrase myprgm

However, this approach does not work and the line where the program is actually started is never reached. When I remove the first line of the script, the program starts with an empty passphrase.

Could you suggest an alternate (secure) way of proceeding? Thank you!

1

There are 1 answers

0
user48678 On

Ok, after sharing this problem with fellow security aware engineers, it turns out that this question is actually 2-fold:

  1. How to configure my app without putting the secret in the code?
  2. How to store the secret?

The first question has an easy answer: putting secrets in the environment is considered best practice (cf http://12factor.net/config).

The answer to the second question is essentially another question: What is the threat model? My own reasoning: What would it take to get the passphrase? Be root. Can I prevent anything if the person is root? No, root can fetch anything in memory. Root can steal the data processed by the python program before it even gets processed. Next threat model is somebody who gets access and is a non root user. I can prevent these users to read the passphrase if I store it in a file with proper access right.

So what I will do is to replace:

read -s -p "passphrase :" passphrase

with:

PASSPHRASE=$(cat /etc/mypassphrase)

and set the file to belong to root and be non readable otherwise. I will update this answer if this does not work.