coilyco-flight-deck/infrastructure
1
0
Fork 0
Code Issues 101 Pull requests Projects Releases Packages Wiki Activity Actions 1

eco-server.service: stop leaking userToken JWT via ExecStart argv #2

New issue
Open
opened 2026-05-23 20:54:25 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-23 20:54:25 +00:00
Owner
Copy link

Originally filed by @coilysiren on 2026-05-23T19:19:13Z - https://github.com/coilysiren/infrastructure/issues/297

Problem - The eco-server systemd unit invokes EcoServer -userToken="$eco_server_api_token" (see scripts/eco-server-start.sh), which puts the JWT from SSM /eco/server-api-token into /proc/<pid>/cmdline. Any systemctl status eco-server, ps, or journald scrape that captures the cmdline (including agent transcripts) leaks the token in cleartext.

Surfaced - 2026-05-23, mid-incident chat transcript captured the JWT verbatim from systemctl status output during the LFS-pointer mod recovery (sibling issue: install-eco-mod-source.sh hardening).

Fix shape - Pass the token via env var or stdin instead of argv. Eco supports userToken via config file (Configs/Network.eco -> ServerAPIToken) as well; writing it there at ExecStartPre time and dropping the argv flag is the cleanest path. Rotate /eco/server-api-token once the unit no longer exposes it.

Out of scope - The DiscordLink token already gets injected via jq into Configs/DiscordLink.eco rather than argv. Mirror that pattern for the user token.

_Originally filed by @coilysiren on 2026-05-23T19:19:13Z - [https://github.com/coilysiren/infrastructure/issues/297](https://github.com/coilysiren/infrastructure/issues/297)_ **Problem** - The eco-server systemd unit invokes `EcoServer -userToken="$eco_server_api_token"` (see `scripts/eco-server-start.sh`), which puts the JWT from SSM `/eco/server-api-token` into `/proc/<pid>/cmdline`. Any `systemctl status eco-server`, `ps`, or journald scrape that captures the cmdline (including agent transcripts) leaks the token in cleartext. **Surfaced** - 2026-05-23, mid-incident chat transcript captured the JWT verbatim from `systemctl status` output during the LFS-pointer mod recovery (sibling issue: install-eco-mod-source.sh hardening). **Fix shape** - Pass the token via env var or stdin instead of argv. Eco supports `userToken` via config file (`Configs/Network.eco` -> `ServerAPIToken`) as well; writing it there at ExecStartPre time and dropping the argv flag is the cleanest path. Rotate `/eco/server-api-token` once the unit no longer exposes it. **Out of scope** - The DiscordLink token already gets injected via `jq` into `Configs/DiscordLink.eco` rather than argv. Mirror that pattern for the user token.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dispatch/issue-294
tangled-knot
dispatch/issue-216
No results found.
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/infrastructure#2
No description provided.