Entire process's environment attached to bugzillas by ABRT

Richard W.M. Jones rjones at redhat.com
Mon Dec 1 16:01:26 UTC 2014

On Mon, Dec 01, 2014 at 03:18:36PM +0100, Zbigniew Jędrzejewski-Szmek wrote:
> On Sun, Nov 30, 2014 at 01:43:39PM +0000, Richard W.M. Jones wrote:
> > On Fri, Nov 28, 2014 at 07:39:47AM +0100, Jakub Filak wrote:
> > > The discussion I mentioned above was primarily about OpenStack (but the
> > > participants also expressed concerns about sending 'environ' to Bugzilla
> > > at all), where people are regularly storing their passwords and tokens
> > > as environment variables.
> > 
> > Yes unfortunately OpenStack does by default encourage people to source
> > a 'keystonerc_admin' file which contains authentication tokens.  The
> > file will look something like this:
> > 
> > export OS_USERNAME=admin
> > export OS_TENANT_NAME=admin
> > export OS_PASSWORD=mysecretpassword
> > export OS_AUTH_URL=
> > For Amazon EC2 you'd want to scrub /^AWS_/
> Would it be enough to scrub OS_PASSWORD? We could filter out *PASSWORD*
> without gathering 50 cases.

While it might be a good idea to also scrub all *PASSWORD* environment
strings, this isn't sufficient for AWS.  AWS has two environment
variables (AWS_ACCESS_KEY and AWS_SECRET_KEY) which are both

Also OS_USERNAME and OS_TENANT_NAME and even OS_AUTH_URL are somewhat
sensitive (less so than OS_PASSWORD of course) since they reveal that
a service exists, its location, and potential usernames to try


Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.

More information about the devel mailing list