creativeprojects/resticprofile

Security issue: RESTIC_PASSWORD and other envieonmant variables are available to every user in systemd service unit

Opened this issue · 1 comments

Vanav commented

If I install systemd service then every environment variable defined in config file is available to any user on server.
How to reproduce:
Config file /etc/restic/profiles.yaml:

default:
  env:
    RESTIC_REPOSITORY: 'rest:http://login:password@192.168.100.100:8000/project'
    RESTIC_PASSWORD: 'restic-pass'
schedule:
  inherit: default
...

Install systemd service: resticprofile schedule.schedule.
Run as any user: systemctl cat resticprofile-backup@profile-schedule.service:

# /etc/systemd/system/resticprofile-backup@profile-schedule.service
[Unit]
Description=resticprofile backup for profile schedule in /etc/restic/profiles.yaml

[Service]
Type=notify
WorkingDirectory=/home/user
ExecStart=/usr/local/bin/resticprofile --no-prio --no-ansi --config /etc/restic/profiles.yaml --name schedule --log /var/log/restic.log backup
Nice=5
Environment="RESTIC_REPOSITORY=rest:http://login:password@192.168.100.100:8000/project"
Environment="RESTIC_PASSWORD=restic-pass"
Environment="HOME=/root"
Environment="SUDO_USER=user"

I expect the same issue with AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and any other environment variables:

resticprofile/schedule/handler_systemd.go

Line 111 in 0598026

Environment: job.Environment,

This issue was mentioned in #211 (comment), but since then #212 was implemented and all passwords are added from private config file to public service unit by default.

Is there a way to hide RESTIC_REPOSITORY, RESTIC_PASSWORD and AWS_SECRET_ACCESS_KEY for other users?

jkellerer commented

Thanks a lot for the report. It is caused by the environment capture function.

As a workaround it can be configured not to capture env variables (see schedule-capture-environment). But we should actually fix it by encrypting the values.