On Mon, 2014-12-01 at 16:01 +0000, Richard W.M. Jones wrote: > On Mon, Dec 01, 2014 at 03:18:36PM +0100, Zbigniew Jędrzejewski-Szmek wrote: > > On Sun, Nov 30, 2014 at 01:43:39PM +0000, Richard W.M. Jones wrote: > > > On Fri, Nov 28, 2014 at 07:39:47AM +0100, Jakub Filak wrote: > > > > The discussion I mentioned above was primarily about OpenStack (but the > > > > participants also expressed concerns about sending 'environ' to Bugzilla > > > > at all), where people are regularly storing their passwords and tokens > > > > as environment variables. > > > > > > Yes unfortunately OpenStack does by default encourage people to source > > > a 'keystonerc_admin' file which contains authentication tokens. The > > > file will look something like this: > > > > > > export OS_USERNAME=admin > > > export OS_TENANT_NAME=admin > > > export OS_PASSWORD=mysecretpassword > > > export OS_AUTH_URL=http://127.0.0.1:35357/v2.0/ > > > > > For Amazon EC2 you'd want to scrub /^AWS_/ > > Would it be enough to scrub OS_PASSWORD? We could filter out *PASSWORD* > > without gathering 50 cases. > > While it might be a good idea to also scrub all *PASSWORD* environment > strings, this isn't sufficient for AWS. AWS has two environment > variables (AWS_ACCESS_KEY and AWS_SECRET_KEY) which are both > sensitive. > > Also OS_USERNAME and OS_TENANT_NAME and even OS_AUTH_URL are somewhat > sensitive (less so than OS_PASSWORD of course) since they reveal that > a service exists, its location, and potential usernames to try > bruteforcing. >
ABRT highlights almost all of them: https://github.com/abrt/libreport/blob/master/src/gui-wizard-gtk/forbidden_words.conf /etc/libreport/forbidden_words.conf But apparently the highlighting of sensitive words does not address this issue very well. We already auto-remove 'rootpw' lines from Anaconda reports[1], so there is no argument against implementing the same thing for 'environ' file for all applications: https://bugzilla.redhat.com/show_bug.cgi?id=1169760 Jakub 1: https://bugzilla.redhat.com/show_bug.cgi?id=1041558 -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
