Comment by tremon
1 month ago
Lots of developers all kinds of keys and tokens available to all processes they launch
But these files should not be world-readable. If they are, that's a basic developer hygiene issue.
1 month ago
Lots of developers all kinds of keys and tokens available to all processes they launch
But these files should not be world-readable. If they are, that's a basic developer hygiene issue.
It's a basic security hygiene issue that the likes of Google, AWS, Anthropic etc all fail.
Has any Cloud/SaaS-with-a-CLI company made a client that does something better, like Linux kernel keyrings?
ssh will refuse to work if the key is world-readable, but they are not protected from third-party code that is launched with the developer's permissions, unless they are using SELinux or custom ACLs, which is not common practice.