Entire process's environment attached to bugzillas by ABRT

Richard W.M. Jones rjones at redhat.com
Sun Nov 30 13:43:39 UTC 2014

On Fri, Nov 28, 2014 at 07:39:47AM +0100, Jakub Filak wrote:
> The discussion I mentioned above was primarily about OpenStack (but the
> participants also expressed concerns about sending 'environ' to Bugzilla
> at all), where people are regularly storing their passwords and tokens
> as environment variables.

Yes unfortunately OpenStack does by default encourage people to source
a 'keystonerc_admin' file which contains authentication tokens.  The
file will look something like this:

export OS_USERNAME=admin
export OS_TENANT_NAME=admin
export OS_PASSWORD=mysecretpassword
export OS_AUTH_URL=

For a public cloud, knowing those values could give anyone access to
the account.

How about having abrt just remove or scrub all variables that start
with /^OS_/ ?  I know it's nasty to have application-specific
treatment of environment variables like this, but the number of
applications that pass auth information through environment variables
is small.

For Amazon EC2 you'd want to scrub /^AWS_/


Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.

More information about the devel mailing list