|
|
|
|
|
|
by skissane
718 days ago
|
|
|
> people are blindly following the advice "put secrets in env vars" without understanding that the point of it is to keep secrets outside files your app can read - because if you do a vulnerability or misconfiguration that lets people read those files leaks the secrets. The problem with this is that, on Linux, the environment is a file, /proc/self/environ And yes, as has been mentioned in some other comments, the process memory is also a file /proc/self/mem - but it is a special file that can only be read using special procedures, whereas /proc/self/environ behaves much more like a normal file, so a lot of vulnerabilities that enable reading /proc/self/environ wouldn’t enable reading /proc/self/mem Technically one workaround on Linux is to not mount /proc (or at least not in your app’s container) - but doing that breaks a lot of things |
|
|