Add same-process option for exec-env

Signed-off-by: Ricardo Matsui <ricmatsui@gmail.com>
2026-02-05 12:45:21 +01:00 · 2021-05-31 13:50:59 -07:00
parent 92651ed743
commit 08476d1bed
5 changed files with 42 additions and 14 deletions
--- a/README.rst
+++ b/README.rst
@@ -1052,6 +1052,11 @@ written to disk.
    $ echo your password: $database_password
    your password:

+If you want process signals to be sent to the command, for example if you are
+running ``exec-env`` to launch a server and your server handles sigterm, then the
+``--same-process`` flag can be used to instruct ``sops`` to start your command in
+the same process instead of a child process. This uses the ``execve`` system call
+and is supported on unix-like systems.

 If the command you want to run only operates on files, you can use ``exec-file``
 instead. By default, SOPS will use a FIFO to pass the contents of the
--- a/cmd/sops/main.go
+++ b/cmd/sops/main.go
@@ -162,6 +162,10 @@ func main() {
 					Name:  "user",
 					Usage: "the user to run the command as",
 				},
+				cli.BoolFlag{
+					Name:  "same-process",
+					Usage: "run command in the current process instead of in a child process",
+				},
 			}, keyserviceFlags...),
 			Action: func(c *cli.Context) error {
 				if c.NArg() != 2 {
@@ -224,12 +228,13 @@ func main() {
 				}

 				if err := exec.ExecWithEnv(exec.ExecOpts{
-					Command:    command,
-					Plaintext:  []byte{},
-					Background: c.Bool("background"),
-					Pristine:   c.Bool("pristine"),
-					User:       c.String("user"),
-					Env:        env,
+					Command:     command,
+					Plaintext:   []byte{},
+					Background:  c.Bool("background"),
+					Pristine:    c.Bool("pristine"),
+					User:        c.String("user"),
+					SameProcess: c.Bool("same-process"),
+					Env:         env,
 				}); err != nil {
 					return toExitError(err)
 				}
--- a/cmd/sops/subcommand/exec/exec.go
+++ b/cmd/sops/subcommand/exec/exec.go
@@ -23,14 +23,15 @@ func init() {
 }

 type ExecOpts struct {
-	Command    string
-	Plaintext  []byte
-	Background bool
-	Pristine   bool
-	Fifo       bool
-	User       string
-	Filename   string
-	Env        []string
+	Command     string
+	Plaintext   []byte
+	Background  bool
+	SameProcess bool
+	Pristine    bool
+	Fifo        bool
+	User        string
+	Filename    string
+	Env         []string
 }

 func GetFile(dir, filename string) *os.File {
@@ -134,6 +135,14 @@ func ExecWithEnv(opts ExecOpts) error {

 	env = append(env, opts.Env...)

+	if opts.SameProcess {
+		if opts.Background {
+			log.Fatal("background is not supported for same-process")
+		}
+
+		return ExecSyscall(opts.Command, env)
+	}
+
 	cmd := BuildCommand(opts.Command)
 	cmd.Env = env

--- a/cmd/sops/subcommand/exec/exec_unix.go
+++ b/cmd/sops/subcommand/exec/exec_unix.go
@@ -11,6 +11,10 @@ import (
 	"syscall"
 )

+func ExecSyscall(command string, env []string) error {
+	return syscall.Exec("/bin/sh", []string{"/bin/sh", "-c", command}, env)
+}
+
 func BuildCommand(command string) *exec.Cmd {
 	return exec.Command("/bin/sh", "-c", command)
 }
--- a/cmd/sops/subcommand/exec/exec_windows.go
+++ b/cmd/sops/subcommand/exec/exec_windows.go
@@ -4,6 +4,11 @@ import (
 	"os/exec"
 )

+func ExecSyscall(command string, env []string) error {
+	log.Fatal("same-process not available on windows")
+	return nil
+}
+
 func BuildCommand(command string) *exec.Cmd {
 	return exec.Command("cmd.exe", "/C", command)
 }