In this article we will explore a method to utilize a complex password with systemd, via an environment variable and conceal the password from the systemd log and process list.
We will set assume a Filespace root password of Pa$$w0rd and a Filespace called filespace.domain.
Use systemd-escape to escape your complex password and create systemd environment file containing the escaped string as a password variable.
systemd-escape 'Pa$$w0rd' > /root/lucidlink.service.pwd
sed -i "s/^/'/;s/$/'/;s/^/PASSWORD=/" /root/lucidlink.service.pwd
cat /root/lucidlink.service.pwd
PASSWORD='Pa\x24\x24w0rd'
Create your systemd unit file with appropriate Filespace name and user.
nano /etc/systemd/system/lucidlink.service
[Unit]
Description=LucidLink filespace.domain Daemon
After=network-online.target
[Service]
Type=simple
EnvironmentFile=/root/lucidlink.service.pwd
ExecStart=/usr/bin/lucid daemon
ExecStartPost=/bin/bash -c "until lucid status | grep -q "Unlinked" ; do continue ; done"
ExecStartPost=/bin/bash -c "/bin/systemd-escape -u '${PASSWORD}' | /usr/bin/lucid link --fs filespace.domain --user root"
ExecStop=/usr/bin/lucid exit
Restart=on-abort
[Install]
WantedBy=multi-user.target
Enable and start your systemd service.
systemctl enable lucidlink.service
systemctl start lucidlink.service
Check your systemd service status and journalctl log for your password.
systemctl status lucidlink.service
journalctl -u lucidlink.service
Confirm your Filespace is linked and your password isn't displayed in the process.
lucid status
ps xuaf | grep Lucid | grep daemon
Clear your bash history.
history -c
Your Filespace complex password should only be accessible to root.
Comments
0 comments
Article is closed for comments.