Notes

Shell: Security

May 11, 2026
  • #nix
  • #security

Passing Sensitive Variables

Esxamples can be run inside a container: docker run -it alpine:3.22.4 sh and adding curl apk add curl

Passing as Command Environment Variable

supersecret=myfaketoken curl --header "Authorization: Bearer ${supersecret}" http://example.com &
ps auxww | grep curl; kill %1;
# <!doctype html><html lang="en"><head><title>Example Domain</title><meta name="viewport" content="width=device-width, initial-scale=1"><style>body{background:#eee;width:60vw;margin:15vh auto;font-family:system-ui,sans-serif}h1{font-size:1.5em}div{opacity:0.8}a:link,a:visited{color:#348}</style></head><body><div><h1>Example Domain</h1><p>This domain is for use in documentation examples without needing permission. Avoid use in operations.</p><p><a href="https://iana.org/domains/example">Learn more</a></p></div></body></html>

#    18 root      0:00 grep curl
# [1]+  Done                       curl --header "Authorization: Bearer ${supersecret}" http://example.com                     curl --header "Authorization: Bearer ${supersecret}" http://example.com
  • variable is not visible in command
  • may be visible to root and current user in /proc/<PID>/environ
curl --header "Authorization: Bearer myfaketoken" http://example.com &
ps auxww | grep curl; kill %1;
# <!doctype html><html lang="en"><head><title>Example Domain</title><meta name="viewport" content="width=device-width, initial-scale=1"><style>body{background:#eee;width:60vw;margin:15vh auto;font-family:system-ui,sans-serif}h1{font-size:1.5em}div{opacity:0.8}a:link,a:visited{color:#348}</style></head><body><div><h1>Example Domain</h1><p>This domain is for use in documentation examples without needing permission. Avoid use in operations.</p><p><a href="https://iana.org/domains/example">Learn more</a></p></div></body></html>

#    25 root      0:00 grep curl
# [1]+  Done                       curl --header "Authorization: Bearer myfaketoken" http://example.com
  • plain text visible in the command