Entire process's environment attached to bugzillas by ABRT
jfilak at redhat.com
Fri Nov 28 06:39:47 UTC 2014
On Fri, 2014-11-28 at 00:28 +0100, Zbigniew Jędrzejewski-Szmek wrote:
> On Thu, Nov 27, 2014 at 07:02:00PM +0100, Jan Kratochvil wrote:
> > On Thu, 27 Nov 2014 16:23:57 +0100, Jakub Filak wrote:
> > > Do you find 'environ' attachment valuable or is ABRT just publishing personal
> > > information?
> > No but I can imagine in some cases it may be useful.
> Is this a problem in practice?
Unfortunately yes, I started this thread after participating in a
discussion about leaking personal information in 'environment'.
> I don't recall ever seeing anything
> private in the hundreds of abrt traces I looked at.
> I checked the enironment of my shell, nothing interesting there, and
> I'm not aware of any services using environment variables to pass
> authentication data.
The discussion I mentioned above was primarily about OpenStack (but the
participants also expressed concerns about sending 'environ' to Bugzilla
at all), where people are regularly storing their passwords and tokens
as environment variables.
> If anything, the cwd and open fds reveal the most
> information, but they are also one of the most useful parts (in my
> experience, that is version strings and backtrace followed by open fds).
> > Couldn't there be a way to send additional information upon bug assignee's
> > request? That would be typically useful with the core files but reporters
> > always said they cannot find the core file anywhere.
> Actually if the scheme that Jakub is working on is adopted and
> coredumps are stored by systemd, they will be available for longer,
> and it should often be possible to request a coredump after the fact.
> But in general depending on user help after the fact is most often
> futile. I wouldn't go there unless actual complaints about exposed
> data appear.
I opened the following bugzilla bug for those who store private data as
More information about the devel