resticprofile
resticprofile copied to clipboard
creativeprojects
Security issue: RESTIC_PASSWORD and other envieonmant variables are available to every user in systemd service unit
If I install systemd service then every environment variable defined in config file is available to any user on server.
How to reproduce:
Config file /etc/restic/profiles.yaml:
default:
env:
RESTIC_REPOSITORY: 'rest:http://login:[email protected]:8000/project'
RESTIC_PASSWORD: 'restic-pass'
schedule:
inherit: default
...
Install systemd service: resticprofile schedule.schedule.
Run as any user: systemctl cat [email protected]:
# /etc/systemd/system/[email protected]
[Unit]
Description=resticprofile backup for profile schedule in /etc/restic/profiles.yaml
[Service]
Type=notify
WorkingDirectory=/home/user
ExecStart=/usr/local/bin/resticprofile --no-prio --no-ansi --config /etc/restic/profiles.yaml --name schedule --log /var/log/restic.log backup
Nice=5
Environment="RESTIC_REPOSITORY=rest:http://login:[email protected]:8000/project"
Environment="RESTIC_PASSWORD=restic-pass"
Environment="HOME=/root"
Environment="SUDO_USER=user"
I expect the same issue with AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and any other environment variables: https://github.com/creativeprojects/resticprofile/blob/0598026a98728cdcbe732ad81dc1bbcfefe2901c/schedule/handler_systemd.go#L111
This issue was mentioned in https://github.com/creativeprojects/resticprofile/issues/211#issuecomment-1558988651, but since then https://github.com/creativeprojects/resticprofile/pull/212 was implemented and all passwords are added from private config file to public service unit by default.
Is there a way to hide RESTIC_REPOSITORY, RESTIC_PASSWORD and AWS_SECRET_ACCESS_KEY for other users?
