[Feature] Add "env-unset" variable tag for unsettling sensitive data about cleanenv HOT 6 CLOSED

I'm not very familiar with this practice. Could you give me an example of how and when it applies?

from cleanenv.

@ilyakaznacheev To hide credentials from none root users when application is started from systemd (as daemon) with none root users.

That way credentials are only available to systemd (and root) in initial start of application, then after start and user change they are dropped from environment.

from cleanenv.

What you mean by "hide"?

The library only reads configs, not prints them or something like that. Hiding sensitive data from users is far beyond its scope.

from cleanenv.

Setting private information inside env, this info will still be accessible from application and even from /proc/PID/environ.

By hiding I mean, unsetting env key that contains sensitive information.

You could say that this is not in scope of library, but without this, using library doesn't make much sense.
One would still have to manage env so why not manage all envs.

Feel free to close if you think that this is not important.

from cleanenv.

The library doesn't manage the environment. It only reads from env variables, and only if it was chosen as a source of data.

You may try to use a custom setter to unset the environment variable there.

I will think about adding some kind of middleware with more metainfo on input.

from cleanenv.

So the solution - do not pass sensitive data with environment variables, use config files instead. You can remove the file just after the app started, so the requirements will be met. You can do that directly from the app.

And yes, it is not in the scope of the library, but you can easily achieve it like as I said before.

from cleanenv.