0

I've tried using the gnome-keyring in a headless server, but have an error, so am back to envirnmental variables. https://unix.stackexchange.com/questions/690295/error-secret-tool-cannot-create-an-item-in-a-locked-collection

I tried using .env and .profile, but the latter is not called by Bash, but .bash_profile is used. Setting PATH variable in /etc/environment vs .profile

I'm not sure that will work for scripts or utilities when I'm not logged in running them, even though they run with root privs. For example, a cron.daily script that emails a report. I want to pass it $EMAIL, and also pass that variable other utilities like apticron, for security and ease of changing.

This answer suggests using an env var pointing to a config file, which I assume I could set ownership group and perms to. But is there a more conventional method? https://stackoverflow.com/a/26030125/4240654

EDIT: I just tested scripts after setting vars in .bashrc and they seem to work. Still testing utilities like Apticron... which it turns out doesnot accept a variable like EMAIL=$EMAIL in /etc/apticron/apticron.conf, probably because it is not running in the root ENV. Okay actually both of those work now after commenting out EMAIL="root" in /usr/lib/apticron/apticron.conf (which doesnt need to happen with using a plain text email, so that is inconsistent, and just for Apticron). Using a file and EMAIL=$(cat .env) still doesnt work with Apticron though.

Possible solutions:

The first two of those require opening a file or store, and leaving open on a server VM, which would be the same as using a limited access file like .env.

.bashrc is perm 644 by default, so readable by any other user, though the /root dir is 700 so not traversable? More importantly env vars even set just by root are accessible by all users.. probably because all child processes inherit parent env vars. Postfix stores its password in a separate file with 600 perms owned by root, and then hashes it for used in memory.

alchemy
  • 762
  • It's not really clear what you want to accomplish. /etc/environment would be appropriate for setting a variable system-wide, wehereas the private startup files of root would be suitable for setting something for the root account specifically. .profile will be read by Bash, too, unless you have a .bash_profile (which then conventionally should read .profile too anyway, but that's then your responsibility). – tripleee Feb 12 '22 at 21:06
  • @tripleee.. my .profile env var doesnt work and I dont have a .bash_profile... Im trying to only have the var readable by a root run script or utility, so /etc/anything I think is out. Im looking into either a locked down custom .myenv file. I think .bash_profile env vars would be exposed to any process running as root? (then again if it is, its a lost battle anyway). Im just looking into what else has access to root's env vars. Hope that clarifies my jumble of a question. – alchemy Feb 12 '22 at 21:32
  • .bash_profile is run by interactive or login instances of the Bash shell. Scripts you run from cron or as a system service are neither interactive nor login shells, nor often even Bash scripts at all. – tripleee Feb 13 '22 at 06:53

2 Answers2

0

Here is what you should do:

  1. open your terminal

  2. execute sudo -s or su

  3. execute cd ~/

  4. execute nano .bashrc

  5. then add your variables there, for example:

welcome_message="WELCOME!";
echo $welcome_message;
  1. close and reopen the terminal
Nmath
  • 12,333
NacreousDawn596
  • 1
  • 3
0

I think the best is to use a file with strict perms owned by root. I created a directory called .env, which used to be a file for setting env vars. So I have a file ~/.env/EMAIL that I can call with $(cat ~/.env/EMAIL) in scripts and works with Apticron. It just has one value in it: xxx@email.com.

mkdir ~/.env && echo 'xxx@gmail.com' >> ~/.env/EMAIL && chmod 600 ~/.env/EMAIL

Or to set 600 for all new files in .env/ use: mkdir ~/.env && sed -i 's/defaults\t/defaults,acl\t/' /etc/fstab && mount -o,remount / && setfacl -dm u::rw,g::x,o::x .env && chmod -x .env && echo 'xxx@gmail.com' >> ~/.env/EMAIL

alchemy
  • 762