Hacker News new | ask | show | jobs
by marwis 985 days ago
And how is /var/run/secrets any more secure than env?

I guess you avoid the risk of accidentally logging secrets with other env variables but otherwise it seems to be just as secure/insecure.
1 comments
dharmab 985 days ago
The secrets aren't in a shared location. They're stored in an ephemeral volume specific to each container which other processes cannot access.
link
marwis 985 days ago
If someone has enough privileges to access /proc/*/environ of another process (i.e. root or the same user or process or child process) then they should be easily able to reach inside the container, no?
link
lmm 985 days ago
Other processes running as the same user can be blocked from reading /var/run/secrets via the likes of SELinux/AppArmor whereas they can't be blocked from reading /proc/environ.

It's a pretty fine distinction and I don't know how many people actually bother doing SELinux etc. in practice, but theoretically it's marginally better.

link
marwis 985 days ago
AppArmor can restrict /proc, see example from docker: https://github.com/moby/moby/blob/master/contrib/apparmor/te...
link