Will os.system(f"{var}") expose the variable (print/stdout)?

Question

I have some security concerns regarding pythons os.system . As I couldn't find an answer I would like to ask for your help.

So I have stored the username & password for my database as environment variables. Then I want to start a server with a shell statement:

os.system(f"server --host 0.0.0.0 " f"{db_type}://{db_user}:{db_pw}@host")

I removed some parts of the statement as they are not relevant for this question.

My question is: Will my variables db_user or db_pw get exposed somewhere? I am concerned that os.system will print or stdout the whole statement with the clear variables. If so, is there a way to prevent it?

The code will run on an ec2/aws. I know there are other ways to start a server but I am interested in this specific scenario.

Answer 1

Yes, the contents will be exposed. Not specifically on stdout/err, but you can see the contents. Take the example

password='secret'
os.system(f"echo {password} && sleep 1000")

This will start the command in a new subshell (as per documentation ). This process will now run, so it will be visible in the running process list. Start for example top or htop and search for that process. That might display something like this:

There you can see the content of the password variable. This is due to the fact, that first the complete string argument to os.system is evaluated and substituted. This string is then passed to sh to start a new subshell.

As a unix user can list the machines processes, it's never a good idea to pass secrets via cli arguments. Neither is passing via ENV-variables, as you could inspect the environment via cat /proc/{$pid}/environ . The best way would be to pass the data via stdin to the subprocess.