Today I learned that unprivileged users can run "systemctl show servicename" to see all the environment variables set in the .service file.
This means if someone sets their AWS_SECRET_ACCESS_KEY in there (or any other secret), it can be read by an attacker even if they don't have read privileges to read the .service file.
For defenders, use EnvironmentFile= instead of Environment= and as long as your environment file has the correct privileges, you will be fine on this front.
@taylan I've seen some places where administrators are not allowed to be root under any circumstances (and that was technically enforced, not just a company rule), but I agree that it's rare.
In either case, it could allow an unprivileged internet attacker who gained remote code execution to elevate from an untrusted user (apache, www-data, etc.)
Come to think of it, looking at service info might be a good thing to alert on. Seems like an uncommon command
Mostly hackers, mostly in Urbana, IL, talking to each other & our friends on like-minded servers without giving our personal data to the marketing machine.