systemd LucidLink service utilizing complex and concealed password

David Bull
David Bull
  • Updated

In this article we will explore a method to utilize a complex password with systemd, via an environment variable and conceal the password from the systemd log and process list. 

We will set assume a Filespace root password of Pa$$w0rd and a Filespace called filespace.domain.

Use systemd-escape to escape your complex password and create systemd environment file containing the escaped string as a password variable. 

systemd-escape 'Pa$$w0rd' > /root/lucidlink.service.pwd
sed -i "s/^/'/;s/$/'/;s/^/PASSWORD=/" /root/lucidlink.service.pwd
cat /root/lucidlink.service.pwd

Create your systemd unit file with appropriate Filespace name and user.

nano /etc/systemd/system/lucidlink.service
Description=LucidLink filespace.domain Daemon
ExecStart=/usr/bin/lucid daemon
ExecStartPost=/bin/bash -c "until lucid status | grep -q "Unlinked" ; do continue ; done"
ExecStartPost=/bin/bash -c "/bin/systemd-escape -u '${PASSWORD}' | /usr/bin/lucid link --fs filespace.domain --user root"
ExecStop=/usr/bin/lucid exit

Enable and start your systemd service.

systemctl enable lucidlink.service
systemctl start lucidlink.service

Check your systemd service status and journalctl log for your password.

systemctl status lucidlink.service
journalctl -u lucidlink.service

Confirm your Filespace is linked and your password isn't displayed in the process.

lucid status
ps xuaf | grep Lucid | grep daemon

Clear your bash history.

history -c

Your Filespace complex password should only be accessible to root.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request



Article is closed for comments.