0

Username and Password are passed as plain text as environment variable while running a bash script from a existing process. using following command.

sudo -u someuser USERNAME=abc PASSWORD=xyz /path/to/script/bashscript argument1 argument2

Above bash script is user configurable script with username and password. the challenge I am facing above is, Environment variables are getting logged. like in auth.log which we don't want.

I am looking for ways to achieve one of the following:

  1. To prevent it from logging(into auth.log).
  2. encrypt username and password in exiting process(c program) and pass as environment variable and have some way to decrypt it in bash script.

I tried looking solution for this. didn't found any which fit with my use-case. Can someone please help me with this? I will also like to know any other ways to make system more secure.

Improve this question
6
  • 1
    This may be better asked on security.stackexchange. Have you considered communicating using a shared file only readable by those users or a named pipe? A fole with credentials seems to be the typical way to handle this. Commented Jan 4, 2023 at 9:53
  • 1
    See if any of the methods described in this post is relevant here. Commented Jan 4, 2023 at 9:59
  • @davidgo we don't want to keep it in any file. cause if someone have root access to system also they should not be able to see it. want to keep it in memory. though wrt to current implementation this still be better solution. i will look into this. Thanks Commented Jan 4, 2023 at 10:09
  • 1
    If someone has root access its game over if the key is at any time unencrypted between processes -- they can dump the memory or do any number of other things to get the key. To bypass this you need a different paradigm - like public/private key encryption and only handling publuc keys (or maybe an API/token or abstracted user management like SAML or LDAP) Commented Jan 4, 2023 at 10:15
  • @harrymc thanks for your reply. solution provide here is configuration file approach to avoid logging in auth.log. In my use case we don't want to permanent stop logging. since these logs are useful when we run script without username/password. we run many instances of this script in regular interval of time. want to not log when we pass username/password using some flag or mechanism at runtime. Commented Jan 4, 2023 at 10:16

1 Answer 1

Reset to default
0

According to RSyslog Documentation - Filter Conditions, you may add a custom string filter for rsyslog inside a filter file as in /etc/rsyslog.d/anyname.conf, by using some identifying string for the logged message for this command:

:msg, contains, "bashscript" stop

See the post How to stop sudo PAM messages in auth.log for a specific user? and especially the answer by not2qubit.

(Unfortunately, I'm unable to test it myself.)

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.