One thing to note about command line arguments on Linux is, any user can typical... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		jpk on Nov 12, 2024 \| parent \| context \| favorite \| on: Improving Steam Client Stability on Linux One thing to note about command line arguments on Linux is, any user can typically inspect `/proc/{pid}/cmdline` and get the full command line used to start the process. So if you pass secrets like API keys, passwords, etc, via an argument, they're visible to the rest of the system. However, if you put secrets into the environment of the child process, only the user that owns the child process can inspect `/proc/{pid}/environ`.

vbezhenar on Nov 12, 2024 [–]

https://man7.org/linux/man-pages/man5/proc.5.html#DESCRIPTIO...

One can use `hidepid` parameter when mounting procfs to hide cmdlines.

I don't know why this is not implemented today by default in most distros. Probably history reasons.

jpk on Nov 14, 2024 | [–]

My guess is it would break stuff like `ps x`, but ideally tools that use the procfs would gracefully degrade in cases like this?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact