Today I learned that unprivileged users can run "systemctl show servicename" to see all the environment variables set in the .service file.

This means if someone sets their AWS_SECRET_ACCESS_KEY in there (or any other secret), it can be read by an attacker even if they don't have read privileges to read the .service file.

For defenders, use EnvironmentFile= instead of Environment= and as long as your environment file has the correct privileges, you will be fine on this front.

@adam
systemd and its consequences have been a disaster for the human race

@r000t

I don't like Systemd but I find it hard to find a distro for desktop/laptop that is not Systemd as I find many of my options there to be a PITA to work with.

Sign in to participate in the conversation
ligmadon

"pissed everyone off in literally record time" - Recommended by 10 out of 10 people who, for some sad reason, have a dedicated column up to watch #fediblock.