I have some security concerns regarding pythons os.system
. As I couldn't find an answer I would like to ask for your help.
So I have stored the username & password for my database as environment variables. Then I want to start a server with a shell statement:
os.system(f"server --host 0.0.0.0 " f"{db_type}://{db_user}:{db_pw}@host")
I removed some parts of the statement as they are not relevant for this question.
My question is: Will my variables db_user
or db_pw
get exposed somewhere? I am concerned that os.system
will print or stdout the whole statement with the clear variables. If so, is there a way to prevent it?
The code will run on an ec2/aws. I know there are other ways to start a server but I am interested in this specific scenario.
Yes, the contents will be exposed. Not specifically on stdout/err, but you can see the contents. Take the example
password='secret'
os.system(f"echo {password} && sleep 1000")
This will start the command in a new subshell (as per documentation ). This process will now run, so it will be visible in the running process list. Start for example top
or htop
and search for that process. That might display something like this:
There you can see the content of the password
variable. This is due to the fact, that first the complete string argument to os.system
is evaluated and substituted. This string is then passed to sh
to start a new subshell.
As a unix user can list the machines processes, it's never a good idea to pass secrets via cli arguments. Neither is passing via ENV-variables, as you could inspect the environment via cat /proc/{$pid}/environ
. The best way would be to pass the data via stdin to the subprocess.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.