getsops · felixfontein · Feb 15, 2025 · May 31, 2021 · Dec 2, 2024 · Dec 2, 2024
diff --git a/README.rst b/README.rst
@@ -1052,6 +1052,11 @@ written to disk.
     $ echo your password: $database_password
     your password:
 
+If you want process signals to be sent to the command, for example if you are
+running ``exec-env`` to launch a server and your server handles sigterm, then the
+``--same-process`` flag can be used to instruct ``sops`` to start your command in
+the same process instead of a child process. This uses the ``execve`` system call
+and is supported on unix-like systems.
 
 If the command you want to run only operates on files, you can use ``exec-file``
 instead. By default, SOPS will use a FIFO to pass the contents of the

diff --git a/cmd/sops/main.go b/cmd/sops/main.go
@@ -162,6 +162,10 @@ func main() {
 					Name:  "user",
 					Usage: "the user to run the command as",
 				},
+				cli.BoolFlag{
+					Name:  "same-process",
+					Usage: "run command in the current process instead of in a child process",
+				},
 			}, keyserviceFlags...),
 			Action: func(c *cli.Context) error {
 				if c.NArg() != 2 {
@@ -224,12 +228,13 @@ func main() {
 				}
 
 				if err := exec.ExecWithEnv(exec.ExecOpts{
-					Command:    command,
-					Plaintext:  []byte{},
-					Background: c.Bool("background"),
-					Pristine:   c.Bool("pristine"),
-					User:       c.String("user"),
-					Env:        env,
+					Command:     command,
+					Plaintext:   []byte{},
+					Background:  c.Bool("background"),
+					Pristine:    c.Bool("pristine"),
+					User:        c.String("user"),
+					SameProcess: c.Bool("same-process"),
+					Env:         env,
 				}); err != nil {
 					return toExitError(err)
 				}

diff --git a/cmd/sops/subcommand/exec/exec.go b/cmd/sops/subcommand/exec/exec.go
@@ -23,14 +23,15 @@ func init() {
 }
 
 type ExecOpts struct {
-	Command    string
-	Plaintext  []byte
-	Background bool
-	Pristine   bool
-	Fifo       bool
-	User       string
-	Filename   string
-	Env        []string
+	Command     string
+	Plaintext   []byte
+	Background  bool
+	SameProcess bool
+	Pristine    bool
+	Fifo        bool
+	User        string
+	Filename    string
+	Env         []string
 }
 
 func GetFile(dir, filename string) *os.File {
@@ -134,6 +135,14 @@ func ExecWithEnv(opts ExecOpts) error {
 
 	env = append(env, opts.Env...)
 
+	if opts.SameProcess {
+		if opts.Background {
+			log.Fatal("background is not supported for same-process")
+		}
+
+		return ExecSyscall(opts.Command, env)
+	}
+
 	cmd := BuildCommand(opts.Command)
 	cmd.Env = env
 

diff --git a/cmd/sops/subcommand/exec/exec_unix.go b/cmd/sops/subcommand/exec/exec_unix.go
@@ -11,6 +11,10 @@ import (
 	"syscall"
 )
 
+func ExecSyscall(command string, env []string) error {
+	return syscall.Exec("/bin/sh", []string{"/bin/sh", "-c", command}, env)
+}
+
 func BuildCommand(command string) *exec.Cmd {
 	return exec.Command("/bin/sh", "-c", command)
 }

diff --git a/cmd/sops/subcommand/exec/exec_windows.go b/cmd/sops/subcommand/exec/exec_windows.go
@@ -4,6 +4,11 @@ import (
 	"os/exec"
 )
 
+func ExecSyscall(command string, env []string) error {
+	log.Fatal("same-process not available on windows")
+	return nil
+}
+
 func BuildCommand(command string) *exec.Cmd {
 	return exec.Command("cmd.exe", "/C", command)
 }