Entire process's environment attached to bugzillas by ABRT

Jakub Filak jfilak at redhat.com
Tue Dec 2 11:51:12 UTC 2014


On Mon, 2014-12-01 at 16:01 +0000, Richard W.M. Jones wrote:
> On Mon, Dec 01, 2014 at 03:18:36PM +0100, Zbigniew Jędrzejewski-Szmek wrote:
> > On Sun, Nov 30, 2014 at 01:43:39PM +0000, Richard W.M. Jones wrote:
> > > On Fri, Nov 28, 2014 at 07:39:47AM +0100, Jakub Filak wrote:
> > > > The discussion I mentioned above was primarily about OpenStack (but the
> > > > participants also expressed concerns about sending 'environ' to Bugzilla
> > > > at all), where people are regularly storing their passwords and tokens
> > > > as environment variables.
> > > 
> > > Yes unfortunately OpenStack does by default encourage people to source
> > > a 'keystonerc_admin' file which contains authentication tokens.  The
> > > file will look something like this:
> > > 
> > > export OS_USERNAME=admin
> > > export OS_TENANT_NAME=admin
> > > export OS_PASSWORD=mysecretpassword
> > > export OS_AUTH_URL=http://127.0.0.1:35357/v2.0/
> > 
> > > For Amazon EC2 you'd want to scrub /^AWS_/
> > Would it be enough to scrub OS_PASSWORD? We could filter out *PASSWORD*
> > without gathering 50 cases.
> 
> While it might be a good idea to also scrub all *PASSWORD* environment
> strings, this isn't sufficient for AWS.  AWS has two environment
> variables (AWS_ACCESS_KEY and AWS_SECRET_KEY) which are both
> sensitive.
> 
> Also OS_USERNAME and OS_TENANT_NAME and even OS_AUTH_URL are somewhat
> sensitive (less so than OS_PASSWORD of course) since they reveal that
> a service exists, its location, and potential usernames to try
> bruteforcing.
> 

ABRT highlights almost all of them:
https://github.com/abrt/libreport/blob/master/src/gui-wizard-gtk/forbidden_words.conf
/etc/libreport/forbidden_words.conf

But apparently the highlighting of sensitive words does not address this
issue very well.

We already auto-remove 'rootpw' lines from Anaconda reports[1], so there
is no argument against implementing the same thing for 'environ' file
for all applications:
https://bugzilla.redhat.com/show_bug.cgi?id=1169760



Jakub


1: https://bugzilla.redhat.com/show_bug.cgi?id=1041558



More information about the devel mailing list