Bug 888100
| Summary: | rhc-chk -d displays database admin user's password. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | OKD | Reporter: | Nam Duong <nduong> | ||||||
| Component: | oc | Assignee: | Hiro Asari <hasari> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | libra bugs <libra-bugs> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 2.x | CC: | dmcphers, hasari, jhou, jinzhang, jkeck, jofernan, lzhuang | ||||||
| Target Milestone: | --- | Keywords: | Security, SecurityTracking | ||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Release Note | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2013-02-13 22:56:38 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 889062 | ||||||||
| Attachments: |
|
||||||||
|
Description
Nam Duong
2012-12-18 01:12:25 UTC
https://github.com/openshift/rhc/pull/261 The logs should have database information (as well as any other value indicated as "password") hidden, like this: embedded: mysql-5.1: connection_url: mysql://127.0.250.129:3306/ username: admin password: ! 'password: length 12 starting with YQ' database_name: foo info: ! 'Connection URL: mysql://127.0.250.129:3306/' Password should be "***" now. This still exposes the password length: self[k] = "*" * v.length it would be much better to assign a static length of ********'s in case the user has a very short password, this will let the attacker know that brute forcing it is possible. Tested on devenv_2613
Steps:
1. Create apps and embed db cartridges
2. run "rhc-chk -d"
3. check log file
Result:
db passwords are still exposed, see attachment
ews1:
framework: jbossews-1.0
creation_time: "2012-12-20T02:38:43-05:00"
embedded:
mysql-5.1:
connection_url: mysql://127.1.2.129:3306/
password: 4ujyRP5USdxX
database_name: ews1
username: admin
info: "Connection URL: mysql://127.1.2.129:3306/"
uuid: 440152af3f0647b99cb47eeb758740c7
aliases:
Created attachment 666571 [details]
rhc-chk log
Kurt, Thank you for raising that point. Here's a new pull request to address it: https://github.com/openshift/rhc/pull/264 Jianwei, Where did you run 'rhc-chk'? The image devenv_2613 has the change needed, but the machine on which you ran 'rhc-chk' might not. The 'rhc' gem has not been released, so you'll have to either try it from source, or run it on the image itself. This bug has been verified and fixed on devenv_2618. Please refer to the details as below:
Steps:
1. Create a app and add all db cartridges.
2. Run "eval `ssh-agent`" and "ssh-add ~/.ssh/id_rsa" on instance
3. Run "rhc-chk -d" on instance
4.Check the generated log file.
Results:
All db passwords are displayed as "************" below:
embedded:
mongodb-2.2:
password: "************"
info: "Connection URL: mongodb://127.0.252.1:27017/"
database_name: app1
username: admin
connection_url: mongodb://127.0.252.1:27017/
postgresql-8.4:
password: "************"
info: "Connection URL: postgresql://127.0.252.1:5432/"
database_name: app1
username: admin
connection_url: postgresql://127.0.252.1:5432/
mysql-5.1:
password: "************"
info: "Connection URL: mysql://127.0.252.1:3306/"
database_name: app1
username: admin
connection_url: mysql://127.0.252.1:3306/
Also attached the log file with details for your reference.
Thanks.
Created attachment 667072 [details]
rhc-chk log
And the fixed version is rhc-1.3.2+ for this verification. Thanks. |