environ icon indicating copy to clipboard operation
environ copied to clipboard

Published 20 hours ago verified publisher icon weavejester

passwords as java system properties

Open jgeraerts opened this issue 9 years ago • 1 comments

Environ allows you to override settings as java system properties which in itself can come in very handy. But security wise it might not be the best idea. A non privileged user on a shared system can see for example all arguments that were given to a certain program. So if passwords are passed this way one can see all arguments with a simple ps command.

I suggest that at least the documentation is warning about this.

Environ can even add some regexes to the keywords so it can warn if something "passwordish" is passed as java system property.

jgeraerts avatar Dec 21 '15 06:12 jgeraerts

I don't want to add anything to the code about this, as trying to guess whether a user has done something dangerous is not going to be reliable.

However, a small note in the README sounds fine.

weavejester avatar Dec 21 '15 13:12 weavejester