Reasonable model for Storing credentials for use in scripts
I was reading question 180243 which states that using a password vault is the best option for credential storage. However this is rather cumbersome to setup. For a lower security use case (so no PII access or anything really damaging, the credentials are for a system user with limited access), would this be a reasonable security model?
- systemd starts a "keyloader" process as root. It reads secrets from a file only root can access and loads them into a keyring with linux-keyutils. It changes the owner of the secrets in the keyring to a service user (we will call "webserver"), then exits
- After it exits, systemd starts the webserver process as the webserver user. It retrieves the credentials from the keyring, then deletes them from the keyring after retrieval. It is a long running process. No other processes run as the "webserver" user.
My understanding is that this only has four points of exposure that result in the attacker getting credentials from this server:
- The attacker has root access (I am in trouble anyway in this scenario)
- The attacker finds a remote code execution vulnerability that specifically applies to the webserver process and retrieves credentials from program memory.
- The attacker somehow gets remote code execution as the webserver user at boot and catches the key from keyutils before the webserver process deletes it.
- The attacker has physical access (its in a locked room in this context).
Are there exposure points (barring outside factors like the hacker breaking into the server the credentials are used to authenticate with) I am overlooking?
Are there steps I could take to make this model more secure without an unreasonable level of effort on making the implementation?
