Skip to content
This repository has been archived by the owner on Jun 4, 2023. It is now read-only.

-k is a local security hole #199

Closed
tkorvola opened this issue Mar 24, 2018 · 3 comments
Closed

-k is a local security hole #199

tkorvola opened this issue Mar 24, 2018 · 3 comments

Comments

@tkorvola
Copy link

argv is public information on Unix systems: if pyro4-ns is started with the -k option, any local user can see the key with ps. Reading the key from a file would be more secure. For extra security, check that the key file is accessible only by the current user.
@irmen
Copy link
Owner

irmen commented Mar 26, 2018
edited
Loading

thank you, I'll think about a better implementation
@tkorvola what about reading it from an environment variable?

@tkorvola
Copy link
Author

Not totally sure about environment variables, but probably safe.

@irmen
Copy link
Owner

irmen commented Apr 1, 2018

Note that using 2-way SSL is the better alternative if you're concerned about security anyway.

I think I will be marking the use of the -k command line option a run time deprecation warning as well

@irmen irmen closed this as completed in a9544e0 Apr 3, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@irmen @tkorvola