Web Excursion 2021-06-14
How to Handle Secrets on the Command Line
Piped Secrets:$(< /dev/stdin)
uses a neat Bash substitution to make an otherwise secure pipe insecure. For example, if you run:
$ echo "secret-data" | curl -d "$(</dev/stdin)" https://example.com:3000
Then the output of ps
for curl
will show:
curl -d secret-data https://example.com:3000
Credentials Files: A few notes about storing and retrieving file secrets:
You’d better get the permissions right
Avoid leaking the secret in the command string eg. with
"$(< secret_file.txt)"
Be sure your disk is encrypted at rest, eg. with LUKS
You may want to encrypt the contents of the file — but, then you need to figure out how to handle the encryption key.
Environment Variables: Not recommended because it’s so easy to leak things:
Some operating systems still make every process’s environment variables world readable
anyone with access to the Docker daemon can use
docker inspect
to see all envIn systemd, environment variables in unit files are available to users via the dbus interface
Exported environment variables will get passed to every new process
Local (unexported) environment variables are also easy to leak into
ps
outputcan easily end up in shell history; but in many shells, adding an extra space before a command will hide it from shell history. (In Bash, the
HISTCONTROL
variable must be set toignorespace
)
What About A Secrets Manager? Is an extra dependency; may still need Bash to shuttle the secret into your target application. For a lightweight solution, use the keyctl
command or keyctl
system calls.
Directly in the command Commands like mysql and curl accept passwords against their own better judgement, for convenience. But, immediately upon startup, they will overwrite argv with a blank value, effectively hiding the secret.
Andrew Taylor on Twitter
The pretend code on the laptop screen in the stock photo at https://developer.bbc.com is user-editable.
bbcdev easter eggs - Pastebin.com
This contains all the blurred code from the text editor found on https://developer.bbc.com/login-required Taken directly from https://s3-eu-west-1.amazonaws.com/developer-portal-assets/live/client/main.8dc76bdd.js
Language Log » The vocabulary of traditional Chinese thought and culture
I recently got hold of an electronic copy of this book:
Zhōngguó chuántǒng wénhuà guānjiàn cí (Hàn Yīng duìzhào) 中国传统文化关键词(汉英对照) (Key Terms of Traditional Chinese Culture / Key Concepts in Chinese Culture [original English title] [Chinese-English])
Beijing: Wàiyǔ jiàoxué yǔ yánjiū chūbǎn shè 2019 外语教学与研究出版社 2019 (Foreign Language Teaching and Research Press, 2019)
Here is a one-drive link to the whole book.
By and large, the translations are loose and often stray quite far from the original texts.
Some of the book's explanations are sadly out of date and erroneous, such as those for géyì 格義 (pp. 88-89), which the editors render as "Matching Meanings" (should be "categorized concepts") and the Six Rules of Painting (pp. 112-114), which needs to be completely redone, taking their Indian background into account.
Judging from a quick read through, I would guess that the most frequently cited text is the 5th-century Wénxīn diāolóng 文心雕龍 (The Literary Mind and the Carving of Dragons). Among early philosophical texts, Zhuang Zi (as well as Lao Zi) and Mo Zi are often quoted.
Combining the storage space of multiple disks
On Linux there are two main approaches to treating multiple drives or partitions as one collective storage space that is accessed as one big disk.
Logical Volume Management
three layers
physical volumes (PV) which are initialized and combined into
Volume Groups (VG) which are then partitioned into
Logical Volumes (LV) which is like a regular partition, but can span across multiple devices inside the Volume Group
tutorials on how to set up LVM and install Linux on a LVM
Advanced filesystems
ZFS: the zpool command
Btrfs: usually the system installer sets up the initial disk volume for us on one device and then we can add new disks to the storage volume as needed