systemd LucidLink service utilizing complex and concealed password

  • Updated

In this article we will explore a method to utilize a complex password with systemd, via an environment variable and conceal the password from the systemd log and process list. 

We will set assume a Filespace root password of Pa$$w0rd and a Filespace called filespace.domain.

Use systemd-escape to escape your complex password and create systemd environment file containing the escaped string as a password variable. 

systemd-escape 'Pa$$w0rd' > /root/lucidlink.service.pwd
sed -i "s/^/'/;s/$/'/;s/^/PASSWORD=/" /root/lucidlink.service.pwd
cat /root/lucidlink.service.pwd

Create your systemd unit file with appropriate Filespace name and user.

nano /etc/systemd/system/lucidlink.service
Description=LucidLink filespace.domain Daemon
ExecStart=/usr/bin/lucid daemon
ExecStartPost=/bin/bash -c "until lucid status | grep -q "Unlinked" ; do continue ; done"
ExecStartPost=/bin/bash -c "/bin/systemd-escape -u '${PASSWORD}' | /usr/bin/lucid link --fs filespace.domain --user root"
ExecStop=/usr/bin/lucid exit

Enable and start your systemd service.

systemctl enable lucidlink.service
systemctl start lucidlink.service

Check your systemd service status and journalctl log for your password.

systemctl status lucidlink.service
journalctl -u lucidlink.service

Confirm your Filespace is linked and your password isn't displayed in the process.

lucid status
ps xuaf | grep Lucid | grep daemon

Clear your bash history.

history -c

Your Filespace complex password should only be accessible to root.

Note: When using SELINUX in Enforcing or Permissive mode you may need to locate the .pwd file somewhere that has the correct context inherently. Or you could modify the label on the .pwd file to provide the correct context. Otherwise starting your Service may fail.

Was this article helpful?

0 out of 0 found this helpful