Entire process's environment attached to bugzillas by ABRT

[Lubomir Rintel]

On Sun, 2014-11-30 at 13:43 +0000, Richard W.M. Jones wrote:
> On Fri, Nov 28, 2014 at 07:39:47AM +0100, Jakub Filak wrote:
> > The discussion I mentioned above was primarily about OpenStack (but the
> > participants also expressed concerns about sending 'environ' to Bugzilla
> > at all), where people are regularly storing their passwords and tokens
> > as environment variables.
> 
> Yes unfortunately OpenStack does by default encourage people to source
> a 'keystonerc_admin' file which contains authentication tokens.  The
> file will look something like this:
> 
> export OS_USERNAME=admin
> export OS_TENANT_NAME=admin
> export OS_PASSWORD=mysecretpassword
> export OS_AUTH_URL=http://127.0.0.1:35357/v2.0/
> 
> For a public cloud, knowing those values could give anyone access to
> the account.
> 
> How about having abrt just remove or scrub all variables that start
> with /^OS_/ ?  I know it's nasty to have application-specific
> treatment of environment variables like this, but the number of
> applications that pass auth information through environment variables
> is small.
> 
> For Amazon EC2 you'd want to scrub /^AWS_/

Some time ago I've run a search against Bugzilla and found a large
numbers of actual EC2 credentials there after I almost fell victim to
this myself.

So, yes, this IS a very actual issue. I find it perfectly possible that
someone else could do the same search and at the same time I find it
naive to assume everyone finds it inappropriate to access the affected
systems.

ABRT itself marked the reports potentially sensitive ("SECRET" in the
environment variable). The reporters did not apparently mind and I know
it's easy to make the mistake.

PS: I contacted everyone affected at the time so that they change their
credentials. Some of the reports were rather old and the credentials
still worked! Rotate your credentials regularly!

Lubo