Bug 1020871 - [notifier] SECURITY - notifier.log contains value of MAIL_PASSWORD if not empty
[notifier] SECURITY - notifier.log contains value of MAIL_PASSWORD if not empty
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-notification-service (Show other bugs)
3.3.0
Unspecified Unspecified
unspecified Severity urgent
: ---
: 3.3.0
Assigned To: Mooli Tayer
Jiri Belka
infra
:
Depends On:
Blocks: 3.3snap2
  Show dependency treegraph
 
Reported: 2013-10-18 08:12 EDT by Jiri Belka
Modified: 2016-02-10 14:43 EST (History)
8 users (show)

See Also:
Fixed In Version: is21
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-01-21 17:18:03 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 20350 None None None Never
oVirt gerrit 20593 None None None Never

  None (edit)
Description Jiri Belka 2013-10-18 08:12:25 EDT
Description of problem:

SECURITY - notifier.log contains value of MAIL_PASSWORD if not empty! This file is world-readable!

# su -s /bin/sh nobody -c 'grep -q MAIL_PASSWORD /var/log/ovirt-engine/notifier/notifier.log && echo found_pattern'
found_pattern

-%-
# grep MAIL_PASS /etc/ovirt-engine/notifier/notifier.conf                                                                                      
MAIL_PASSWORD=foobar

# grep MAIL_PASS /var/log/ovirt-engine/notifier/notifier.log | tail -n1
2013-10-18 13:59:42,048 INFO  [org.ovirt.engine.core.utils.LocalConfig] Value of property "MAIL_PASSWORD" is "foobar".

Version-Release number of selected component (if applicable):
is19

How reproducible:
100%

Steps to Reproduce:
1. MAIL_ENABLE_SSL=true, MAIL_SERVER=$smtp_server, MAIL_USER=$auth-name, MAIL_PASSWORD=$auth-password defined in /etc/ovirt-engine/notifier/notifier.conf
2. restart ovirt-engine-notifier
3. see MAIL_PASSWORD in notifier.log

Actual results:
password define in conf file is visible plaintext in log file!

Expected results:
do not show password as it can leak

Additional info:
Comment 1 Mooli Tayer 2013-10-21 08:27:56 EDT
There is a configuration key called SENSITIVE_KEYS which is a comma separated list of hidden configuration keys. 

patch proposed upstream adding MAIL_PASSWORD to ovirt-engine-notifier.conf.
Comment 3 Jiri Belka 2013-11-11 09:09:28 EST
ok, is22.
Comment 4 Itamar Heim 2014-01-21 17:18:03 EST
Closing - RHEV 3.3 Released
Comment 5 Itamar Heim 2014-01-21 17:24:29 EST
Closing - RHEV 3.3 Released

Note You need to log in before you can comment on or make changes to this bug.