In this article we will explore a method to utilize a complex password with systemd, via an environment variable and conceal the password from the systemd log and process list.
We will set assume a Filespace root
password of Pa$$w0rd
and a Filespace called filespace.domain
.
Use systemd-escape to escape your complex password and create systemd environment file containing the escaped string as a password variable.
systemd-escape 'Pa$$w0rd' > /root/lucidlink.service.pwd
sed -i "s/^/'/;s/$/'/;s/^/PASSWORD=/" /root/lucidlink.service.pwd
cat /root/lucidlink.service.pwd
PASSWORD='Pa\x24\x24w0rd'
Create your systemd unit file with appropriate Filespace name and user.
nano /etc/systemd/system/lucidlink.service
[Unit]
Description=LucidLink filespace.domain Daemon
After=network-online.target
[Service]
Type=simple
EnvironmentFile=/root/lucidlink.service.pwd
ExecStart=/usr/bin/lucid daemon
ExecStartPost=/bin/bash -c "until lucid status | grep -q "Unlinked" ; do continue ; done"
ExecStartPost=/bin/bash -c "/bin/systemd-escape -u '${PASSWORD}' | /usr/bin/lucid link --fs filespace.domain --user root"
ExecStop=/usr/bin/lucid exit
Restart=on-abort
[Install]
WantedBy=multi-user.target
Enable and start your systemd service.
systemctl enable lucidlink.service
systemctl start lucidlink.service
Check your systemd service status and journalctl log for your password.
systemctl status lucidlink.service
journalctl -u lucidlink.service
Confirm your Filespace is linked and your password isn't displayed in the process.
lucid status
ps xuaf | grep Lucid | grep daemon
Clear your bash history.
history -c
Your Filespace complex password should only be accessible to root.
Note: When using SELINUX in Enforcing or Permissive mode you may need to locate the .pwd file somewhere that has the correct context inherently. Or you could modify the label on the .pwd file to provide the correct context. Otherwise starting your Service may fail.