1

I'm trying to set an ENV variable in a crontab every so often to change the session_secret. Using both ruby and bash, I can't seem to get out of the sandboxed environments that they use. I need to set this variable to a randomly generated hex value of so many characters.

Is this possible? I can't seem to change the current instance value.

MYVAR=$(openssl rand -hex 32)

This is in a bash script, but does not change when I go to check as my own user. Not sure what I'm doing wrong.

Rich_F
  • 144
  • The cronjob that you have is only going to add the environment variable for the user who is running it which I'd assume is root in your case. – Nasir Riley Jan 06 '21 at 01:46
  • 1
    maybe this answers your question? https://unix.stackexchange.com/questions/64258/what-do-the-scripts-in-etc-profile-d-do – Michael D. Jan 06 '21 at 02:44
  • @NasirRiley I just looked and root doesn't even have that variable defined. So I need to do some more work as to who owns the variable and maybe even park this into my app somehow. I'll be reading up what Michael posted as well. Rabbit hole. – Rich_F Jan 06 '21 at 08:34
  • Once your bash shell is running how is it supposed to know that something somewhere has changed something? Think about that. What you're looking for is akin to hijacking the user session which is possible but not simple. – Artem S. Tashkinov Jan 06 '21 at 11:07
  • @ArtemS.Tashkinov This isn't about a bash shell. This is about another application that needs a secret for sessions. This is never used in any shell. Other applications than the shell use ENV vars. – Rich_F Jan 06 '21 at 11:09
  • @MichaelD. Nope. – Rich_F Jan 07 '21 at 14:11

1 Answers1

2

Wrong conclusion - ability to change the process environment from outside the process.

Let's say you run a ruby script.

This starts a bash shell instance with environment vars, in which the ruby interpreter starts inheriting the current bash shell instance environment and maybe adding some interpreter specific new env vars.

Each running program gets a process id aka pid. The process environment is stored in /proc/<pid>/environ which is read only and can't be changed from outside - as pointed out here change environment of a running process

While your ruby script is running the parent bash instance is running, too. This bash instance is not reading changed env vars and is not inheriting or propagating new vars to it's child :

$ pstree -p | grep ruby
bash(1234)---ruby(5678)

you can grep for your env.vars with xargs -n 1 -0 < /proc/5678/environ | grep MYVAR

The only way to have the new changed environment vars while the script was running is to start a new bash/ruby instance and exit the old one.

Possible wrong conclusion - script reads constantly from env - script gets notified when env has changed - env is not beeing cached by the interpreter.

Usually a script initializes reading env vars. when starting the script only, and keeps using internal vars at runtime not env_vars. Even if changeing the process env from outside were possible, and the script reads constantly the environment vars - the env could be a cached copy and not the real deal.

(python example)

# start
key = os.environ.get('MYVAR')

do something with key until scripts ends

Answers:

  1. Modify the ruby script to execute openssl rand -hex 32 and read the result to the variable from time to time.
  2. Modify the ruby script to read a file /path/data into a variable generated by cron with output from openssl rand -hex 32 from time to time.
  3. A cronjob restarts the script with the new environment. (ie. with sudo # see switches -i -u and --) as mentioned in the comments user wide env could be set in profile.d what-do-the-scripts-in-etc-profile-d-do
Michael D.
  • 2,830
  • This is not an ongoing script but called via cron on a long schedule. But your second point seems like a good workaround. It seems I can't cross that wall between the cron's user and the user of my app. I should start looking at the app's ability to set an internal value, but that goes against the concept of hiding such secrets in ENV vars. – Rich_F Jan 08 '21 at 10:45