Hacker News new | past | comments | ask | show | jobs | submit login

This is effectively saying that they're exposed to root or the owner of the PID, which is the same story as storing secrets in files. Root also has other ways to get secrets out of remote processes.



My problem is with owner-of-PID, if you have directory traversal as root... good luck I guess.

You can store secrets in a process belonging to a different PID and get them with some kind of RPC.


Now that process has to get its secret from somewhere. At some point, you're just recapitulating the design of Hashicorp Vault. But even if you're using Vault, you're most likely injecting secrets as environment variables.


Belonging to a different user*

It can get it from a file that isn't readable by the user that runs remote-accessible code.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: