0

I'm trying to provide a secret value to a script, via an environmental variable, but not have it logged by sudo in auth.log.

At the moment I have the file:

/etc/secret-key
export SECRET_CONFIG_KEY=K1PX7MZ8an8H2mRQR

This file is owned by root:root (0400).

Using cron and sudo, I can run the script under the www-data user, and provide this value.

5 * * * * root . /etc/secret-key; sudo -u www-data --preserve-env=SECRET_CONFIG_KEY /path/to/script

But the auth.log file then contains lines such as:

Aug 19 18:30:01 server sudo: root : TTY=unknown ; PWD=/root ; USER=www-data ; ENV=SECRET_CONFIG_KEY=K1PX7MZ8an8H2mRQR ; COMMAND=/path/to/script

Which is readable by anyone in the adm group, and emailed to me every day via LogWatch.

I'm happy to consider alternative approaches.

The main feature is providing this secret value to a script, using the www-data account, where that account is only given access to this value as needed (the account should not have read access to the secret-key file).

As a side note, the www-data account cannot edit any of its scripts, the account is only used to run them.

Craig Francis
  • 633
  • 1
  • 8
  • 23

1 Answers1

2

You should probably be using su rather than sudo for this.

Consider something like:

su www-data -w SECRET_CONFIG_KEY -c /path/to/script
Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • Thanks, I had to tweak it a bit to: `5 * * * * root . /etc/secret-key; su www-data -s /bin/bash -p -c '/path/to/script'` But that's because my server sets `/usr/sbin/nologin` for the shell, only has `-p` to "preserve the current environment", and needed quote marks because the full command was a bit more complicated. – Craig Francis Aug 20 '19 at 12:28