From 438311a5181ccf6e12a6a0a976bb8b5853b9be12 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 13 Nov 2018 23:09:32 +0100
Subject: [PATCH] man: document that env vars are not suitable for passing
 secrets

Prompted by the thread around:

https://lists.freedesktop.org/archives/systemd-devel/2018-November/041665.html
---
 man/systemd.exec.xml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 3f0535726b..41b5d7144d 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1645,7 +1645,13 @@ SystemCallErrorNumber=EPERM</programlisting>
         <para>
         See <citerefentry
         project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details
-        about environment variables.</para></listitem>
+        about environment variables.</para>
+
+        <para>Note that environment variables are not suitable for passing secrets (such as passwords, key material, …)
+        to service processes. Environment variables set for a unit are exposed to unprivileged clients via D-Bus IPC,
+        and generally not understood as being data that requires protection. Moreover, environment variables are
+        propagated down the process tree, including across security boundaries (such as setuid/setgid executables), and
+        hence might leak to processes that should not have access to the secret data.</para></listitem>
       </varlistentry>
 
       <varlistentry>