diff options
author | Ryan Lue <hello@ryanlue.com> | 2022-06-30 23:04:35 -0700 |
---|---|---|
committer | Lukas Fleischer <lfleischer@calcurse.org> | 2023-04-11 15:22:03 -0400 |
commit | e772c4b6d52627c463e70b4284e3794aa0bd0634 (patch) | |
tree | ea1962c737cac208ab8c8b034bde22b8cc3e32d1 /contrib/caldav/config.sample | |
parent | 4cd300f2c408907b4a576b55fc15479afbd5d81f (diff) | |
download | calcurse-e772c4b6d52627c463e70b4284e3794aa0bd0634.tar.gz calcurse-e772c4b6d52627c463e70b4284e3794aa0bd0634.zip |
calcurse-caldav: Support PasswordCommand option
This commit adds a new `Auth/PasswordCommand` option
to support security best practices re: handling secrets
in CLI program configuration.
Prior to this commit, the two available options
for specifying a password were:
1. via the `Auth/Password` config parameter, or
2. via a `$CALCURSE_CALDAV_PASSWORD` environment variable.
The former is unsafe for obvious reasons;
the latter is unsafe because as long as the script is running,
its environment can be accessed via
$ cat /proc/<pid>/environ
and is thus visible to anyone with access to the system.
This commit preserves preexisting behavior (for backward compatibility)
but removes all mention of option 2 from the README.
Since the README example for option 2 used a password command anyway,
there is little reason to continue its use,
and this commit recommends it be deprecated.
Signed-off-by: Lukas Fleischer <lfleischer@calcurse.org>
Diffstat (limited to 'contrib/caldav/config.sample')
-rw-r--r-- | contrib/caldav/config.sample | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/contrib/caldav/config.sample b/contrib/caldav/config.sample index e2c6c2d..0ba8fa8 100644 --- a/contrib/caldav/config.sample +++ b/contrib/caldav/config.sample @@ -48,11 +48,13 @@ DryRun = Yes # Enable this if you want detailed logs written to stdout. Verbose = Yes -# Credentials for HTTP Basic Authentication. Leave this commented out if you do -# not want to use authentication. +# Credentials for HTTP Basic Authentication (if required). +# Set `Password` to your password in plaintext (unsafe), +# or `PasswordCommand` to a shell command that retrieves it (recommended). #[Auth] #Username = user -#Password = pass +#Password = password +#PasswordCommand = pass baikal # Optionally specify additional HTTP headers here. #[CustomHeaders] |