Sometimes, you need to deal with secrets in an interactive shell. Say, for example, you want to do things with the API of a GitLab instance for which you require authentication: $ curl -fsSLH 'Authorization: Bearer 1s7zo2a-mzsLP6yAo2SM' https://gitlab.example.com/api/v4/projects Oh no! Process information leakage By doing that, you’ve just made the token available to everything on your system that can see your processes! Process command lines are visible to all processes through /proc on most Linux distributions. This is how tools like ps and pgrep work on Linux – they walk through the per-process directories in /proc and read files describing the process, like stat or status and cmdline. You can use the hidepid mount option for the proc filesystem to prevent users from inspecting processes of other users. macOS also hides other users’ processes by default. However, many tools allow you to avoid passing secrets on the command line at all, and this is usually a better approach because you can apply it even on systems where you don’t have the necessary access to change mount options for /proc. In the curl example, you can write the header to a file and have curl read it from there instead of from the command line directly: $ umask 077 # prevent the file from being readable for other users # echo is a shell builtin, so it doesn't show up in the process table $ echo 'Authorization: Bearer 1s7zo2a-mzsLP6yAo2SM' > auth-header $ curl -fsSLH @auth-header https://gitlab.example.com/api/v4/projects But Unix-like systems support fancy files that don’t behave like simple files, which lets you avoid actually storing the secret. Many shells support so-called “process substitution”, which launches a subshell and provides its output as a virtual file that doesn’t actually represent persistent storage, instead being a buffer which can only be read from once. $ echo <(echo secret token) /dev/fd/63 $ curl -fsSLH @<(echo 'Authorization: Bearer 1s7zo2a-mzsLP6yAo2SM') https://gitlab.exam...
First seen: 2026-01-14 04:08
Last seen: 2026-01-14 05:08