1020871 – [notifier] SECURITY - notifier.log contains value of MAIL_PASSWORD if not empty

Bug 1020871 - [notifier] SECURITY - notifier.log contains value of MAIL_PASSWORD if not empty

Summary: [notifier] SECURITY - notifier.log contains value of MAIL_PASSWORD if not empty

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine-notification-service
Sub Component:
Version:	3.3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Target Release:	3.3.0
Assignee:	Mooli Tayer
QA Contact:	Jiri Belka
Docs Contact:
URL:
Whiteboard:	infra
Depends On:
Blocks:	3.3snap2
TreeView+	depends on / blocked

Reported:	2013-10-18 12:12 UTC by Jiri Belka
Modified:	2016-02-10 19:43 UTC (History)
CC List:	8 users (show)
Fixed In Version:	is21
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-01-21 22:18:03 UTC
oVirt Team:	Infra
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	20350	0	None	None	None	Never
oVirt gerrit	20593	0	None	None	None	Never

Description Jiri Belka 2013-10-18 12:12:25 UTC

Description of problem:

SECURITY - notifier.log contains value of MAIL_PASSWORD if not empty! This file is world-readable!

# su -s /bin/sh nobody -c 'grep -q MAIL_PASSWORD /var/log/ovirt-engine/notifier/notifier.log && echo found_pattern'
found_pattern

-%-
# grep MAIL_PASS /etc/ovirt-engine/notifier/notifier.conf                                                                                      
MAIL_PASSWORD=foobar

# grep MAIL_PASS /var/log/ovirt-engine/notifier/notifier.log | tail -n1
2013-10-18 13:59:42,048 INFO  [org.ovirt.engine.core.utils.LocalConfig] Value of property "MAIL_PASSWORD" is "foobar".

Version-Release number of selected component (if applicable):
is19

How reproducible:
100%

Steps to Reproduce:
1. MAIL_ENABLE_SSL=true, MAIL_SERVER=$smtp_server, MAIL_USER=$auth-name, MAIL_PASSWORD=$auth-password defined in /etc/ovirt-engine/notifier/notifier.conf
2. restart ovirt-engine-notifier
3. see MAIL_PASSWORD in notifier.log

Actual results:
password define in conf file is visible plaintext in log file!

Expected results:
do not show password as it can leak

Additional info:

Comment 1 Mooli Tayer 2013-10-21 12:27:56 UTC

There is a configuration key called SENSITIVE_KEYS which is a comma separated list of hidden configuration keys. 

patch proposed upstream adding MAIL_PASSWORD to ovirt-engine-notifier.conf.

Comment 3 Jiri Belka 2013-11-11 14:09:28 UTC

ok, is22.

Comment 4 Itamar Heim 2014-01-21 22:18:03 UTC

Closing - RHEV 3.3 Released

Comment 5 Itamar Heim 2014-01-21 22:24:29 UTC

Closing - RHEV 3.3 Released

Note You need to log in before you can comment on or make changes to this bug.