Bug#1038139: debci-worker: Process leaks authentication data via amqp-tools
On 2023-06-16 17:56, Antonio Terceiro wrote: > Note that the variable where you inserted a username and password is > calle debci_amqp_server, and was never supposed to be used for putting a > password in plain text. I think this is where the documentation of the --amqp option threw me off, from debci(1): --amqp amqp://[user:password@]hostname[:port] > For the c.d.n deployment we use SSL client certificates for > authentication, and that's why the variables debci_amqp_cacert, > debci_amqp_cert, debci_amqp_key are there. Yeah, I was guessing as much. I just wanted to make sure that in the case of only the server certificate + client auth/pass, there's a safer way to do that. > IMO that is no different from any other program that takes a url as a > command line parameter: you can pass a URL containing a username and > password, but then that's on you. Indeed. I only mentioned it since it's not entirely obvious for a first-time debci user that the debci_amqp_server config option is passed on via CLI to some other utility, rather than consumed by a library, or similar. Best, Christian
Bug#1038139: debci-worker: Process leaks authentication data via amqp-tools
On Thu, Jun 15, 2023 at 10:48:57PM +0200, Christian Kastner wrote: > > Package: debci > Version: 3.6 > Severity: serious > Tags: security > X-Debbugs-Cc: Debian Security Team > > Hi, > > When using authentication in AMQP connections, the username and password > supplied in the --url option to amqp-consume resp. amqp-publish are > exposed in the proces list, see #1037322: > > $ pgrep -a ampq-consume > 62287 amqp-consume --url amqp://user:pass@192.168.0.1 --queue=myqueue > > A patch has been accepted upstream to read the username and password > from a file. I assume this will make its way into ampq-tools soon. > > Unless I'm mistaken, debci will need to be updated for this, e.g. by > adding a debci_amqp_pwfile config option + NEWS entry suggesting that > people migrate to this new option. I'd be happy to file an MR for this, > once ampq-tools has been fixed. Note that the variable where you inserted a username and password is calle debci_amqp_server, and was never supposed to be used for putting a password in plain text. For the c.d.n deployment we use SSL client certificates for authentication, and that's why the variables debci_amqp_cacert, debci_amqp_cert, debci_amqp_key are there. IMO that is no different from any other program that takes a url as a command line parameter: you can pass a URL containing a username and password, but then that's on you. signature.asc Description: PGP signature
Bug#1038139: debci-worker: Process leaks authentication data via amqp-tools
Package: debci Version: 3.6 Severity: serious Tags: security X-Debbugs-Cc: Debian Security Team Hi, When using authentication in AMQP connections, the username and password supplied in the --url option to amqp-consume resp. amqp-publish are exposed in the proces list, see #1037322: $ pgrep -a ampq-consume 62287 amqp-consume --url amqp://user:pass@192.168.0.1 --queue=myqueue A patch has been accepted upstream to read the username and password from a file. I assume this will make its way into ampq-tools soon. Unless I'm mistaken, debci will need to be updated for this, e.g. by adding a debci_amqp_pwfile config option + NEWS entry suggesting that people migrate to this new option. I'd be happy to file an MR for this, once ampq-tools has been fixed. Best, Christian -- System Information: Debian Release: 11.7 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-0.deb11.7-amd64 (SMP w/24 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages debci depends on: ii adduser 3.118 pn amqp-tools ii curl7.88.1-7~bpo11+2 ii dctrl-tools 2.24-3+b1 ii debian-archive-keyring 2021.1.1+deb11u1 ii debootstrap 1.0.128+nmu2~bpo11+1 ii devscripts 2.22.2~bpo11+1 pn distro-info ii fonts-font-awesome 5.0.10+really4.7.0~dfsg-4.1 ii jq 1.6-2.1 ii libjs-bootstrap 3.4.1+dfsg-2 ii libjs-jquery3.5.1+dfsg+~3.5.5-7 pn libjs-jquery-flot pn moreutils ii netcat-openbsd 1.217-3 pn parallel ii patchutils 0.4.2-1 pn retry ii rsync 3.2.7-1~bpo11+1 ii ruby1:2.7+2 pn ruby-activerecord pn ruby-bunny pn ruby-erubi pn ruby-kaminari-activerecord pn ruby-pg pn ruby-sinatra pn ruby-sinatra-contrib pn ruby-sqlite3 pn ruby-thor pn sudo Versions of packages debci recommends: ii systemd-timesyncd [time-daemon] 252.5-2~bpo11+1 Versions of packages debci suggests: pn apt-cacher-ng