Bug 1358063 - beaker-provision logs leak power passwords in fence agent output
Summary: beaker-provision logs leak power passwords in fence agent output
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Beaker
Classification: Community
Component: lab controller
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified vote
Target Milestone: 24.0
Assignee: Dan Callaghan
QA Contact: tools-bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-20 00:37 UTC by Dan Callaghan
Modified: 2017-02-21 18:50 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-21 18:50:54 UTC


Attachments (Terms of Use)

Description Dan Callaghan 2016-07-20 00:37:50 UTC
Some/all of the fence agents, when run in --verbose mode which we use when invoking them, will print output that includes the password passed to the BMC.

For example fence_ipmilan will print output like this:

Executing: /usr/bin/ipmitool -I lanplus -H example.com -U user -P thepassword -p 623 -L ADMINISTRATOR chassis power stat

If the power command fails, beaker-provision logs this output as part of the failure so that the administrator has a better chance of figuring out what went wrong. But as a result the passwords end up leaked in /var/log/beaker/provision.log.

Similar to bug 986108 (which censors passwords in the repr() of the power commands) beaker-provision should censor any instance of the password which appears in the power script's output, before it logs it and reports it back to Beaker.

Comment 1 Dan Callaghan 2016-08-08 06:04:20 UTC
While writing a test case for this I hit long-standing bug 968715: we don't store anywhere near the complete failure message when power commands fail. All I get in my test case is:

ValueError: Power script /home/dcallagh/work/beaker/LabContr

so I'd like to fix that up (perhaps via bug 1318524) for this one.

Comment 2 Dan Callaghan 2016-09-05 01:31:05 UTC
http://gerrit.beaker-project.org/5186

Comment 3 Dan Callaghan 2016-09-05 04:59:11 UTC
Plus matching change for dogfood: https://gerrit.beaker-project.org/5191

Comment 6 Dan Callaghan 2017-02-21 18:50:54 UTC
Beaker 24.0 has been released.


Note You need to log in before you can comment on or make changes to this bug.