diff options
| author | Lennart Poettering <lennart@poettering.net> | 2023-07-04 11:46:37 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2023-07-04 23:19:48 +0200 |
| commit | de70ecb328d16dedcdea4c99cf9ff9d55491f120 (patch) | |
| tree | 692ee86840846e499b5b269175fbb09de571c4b4 /docs/CREDENTIALS.md | |
| parent | man: document where PID 1 imports credentials from (diff) | |
| download | systemd-de70ecb328d16dedcdea4c99cf9ff9d55491f120.tar.xz systemd-de70ecb328d16dedcdea4c99cf9ff9d55491f120.zip | |
import-creds: add support for binary credentials specified on the kernel cmdline
Diffstat (limited to 'docs/CREDENTIALS.md')
| -rw-r--r-- | docs/CREDENTIALS.md | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/docs/CREDENTIALS.md b/docs/CREDENTIALS.md index da5152c164..9d06c45f1f 100644 --- a/docs/CREDENTIALS.md +++ b/docs/CREDENTIALS.md @@ -322,10 +322,11 @@ services where they are ultimately consumed. be sure they can be accessed securely from initrd context. 4. Credentials can also be passed into a system via the kernel command line, - via the `systemd.set-credential=` kernel command line option. Note though - that any data specified here is visible to all userspace applications (even - unprivileged ones) via `/proc/cmdline`. Typically, this is hence not useful - to pass sensitive information, and should be avoided. + via the `systemd.set_credential=` and `systemd.set_credential_binary=` + kernel command line options (the latter takes Base64 encoded binary + data). Note though that any data specified here is visible to all userspace + applications (even unprivileged ones) via `/proc/cmdline`. Typically, this + is hence not useful to pass sensitive information, and should be avoided. Credentials passed to the system may be enumerated/displayed via `systemd-creds --system`. They may also be propagated down to services, via the |