Entire process's environment attached to bugzillas by ABRT
Richard W.M. Jones
rjones at redhat.com
Mon Dec 1 16:01:26 UTC 2014
On Mon, Dec 01, 2014 at 03:18:36PM +0100, Zbigniew Jędrzejewski-Szmek wrote:
> On Sun, Nov 30, 2014 at 01:43:39PM +0000, Richard W.M. Jones wrote:
> > On Fri, Nov 28, 2014 at 07:39:47AM +0100, Jakub Filak wrote:
> > > The discussion I mentioned above was primarily about OpenStack (but the
> > > participants also expressed concerns about sending 'environ' to Bugzilla
> > > at all), where people are regularly storing their passwords and tokens
> > > as environment variables.
> >
> > Yes unfortunately OpenStack does by default encourage people to source
> > a 'keystonerc_admin' file which contains authentication tokens. The
> > file will look something like this:
> >
> > export OS_USERNAME=admin
> > export OS_TENANT_NAME=admin
> > export OS_PASSWORD=mysecretpassword
> > export OS_AUTH_URL=http://127.0.0.1:35357/v2.0/
>
> > For Amazon EC2 you'd want to scrub /^AWS_/
> Would it be enough to scrub OS_PASSWORD? We could filter out *PASSWORD*
> without gathering 50 cases.
While it might be a good idea to also scrub all *PASSWORD* environment
strings, this isn't sufficient for AWS. AWS has two environment
variables (AWS_ACCESS_KEY and AWS_SECRET_KEY) which are both
sensitive.
Also OS_USERNAME and OS_TENANT_NAME and even OS_AUTH_URL are somewhat
sensitive (less so than OS_PASSWORD of course) since they reveal that
a service exists, its location, and potential usernames to try
bruteforcing.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/
More information about the devel
mailing list