From 3cd8337f775c8e41e5147ad369b20904ffd80e2b Mon Sep 17 00:00:00 2001 From: Giacomo Sanchietti Date: Mon, 29 Jun 2026 11:42:29 +0200 Subject: [PATCH] fix(vmalert): use passwordFile option Do not leak the registration secret inside command line. It will not be visible using ps command. --- packages/victoria-metrics/files/vmalert.initd | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/packages/victoria-metrics/files/vmalert.initd b/packages/victoria-metrics/files/vmalert.initd index 636202aa2..3abf258f9 100644 --- a/packages/victoria-metrics/files/vmalert.initd +++ b/packages/victoria-metrics/files/vmalert.initd @@ -53,9 +53,15 @@ start_service() { # Also forward alerts to my.nethesis.it for registered enterprise systems if [ -n "$notifier_url" ]; then + # Avoid leaking secret inside command line + local pass_file="/var/run/vmalert/notifier.pass" + mkdir -p /var/run/vmalert + chmod 700 /var/run/vmalert + ( umask 077; printf '%s' "$notifier_pass" > "$pass_file" ) + procd_append_param command -notifier.url="$notifier_url" procd_append_param command -notifier.basicAuth.username="$notifier_user" - procd_append_param command -notifier.basicAuth.password="$notifier_pass" + procd_append_param command -notifier.basicAuth.passwordFile="$pass_file" fi procd_set_param stdout 1