Description of problem: While debugging user environments over IRC, we often request the output to certain commands that end up being viewable by everyone on #openshift. We recently found the 'rhc-chk -d' will display the user's database password. We should obfuscate it.
https://github.com/openshift/rhc/pull/261 The logs should have database information (as well as any other value indicated as "password") hidden, like this: embedded: mysql-5.1: connection_url: mysql://127.0.250.129:3306/ username: admin password: ! 'password: length 12 starting with YQ' database_name: foo info: ! 'Connection URL: mysql://127.0.250.129:3306/'
Password should be "***" now.
This still exposes the password length: self[k] = "*" * v.length it would be much better to assign a static length of ********'s in case the user has a very short password, this will let the attacker know that brute forcing it is possible.
Tested on devenv_2613 Steps: 1. Create apps and embed db cartridges 2. run "rhc-chk -d" 3. check log file Result: db passwords are still exposed, see attachment ews1: framework: jbossews-1.0 creation_time: "2012-12-20T02:38:43-05:00" embedded: mysql-5.1: connection_url: mysql://127.1.2.129:3306/ password: 4ujyRP5USdxX database_name: ews1 username: admin info: "Connection URL: mysql://127.1.2.129:3306/" uuid: 440152af3f0647b99cb47eeb758740c7 aliases:
Created attachment 666571 [details] rhc-chk log
Kurt, Thank you for raising that point. Here's a new pull request to address it: https://github.com/openshift/rhc/pull/264 Jianwei, Where did you run 'rhc-chk'? The image devenv_2613 has the change needed, but the machine on which you ran 'rhc-chk' might not. The 'rhc' gem has not been released, so you'll have to either try it from source, or run it on the image itself.
This bug has been verified and fixed on devenv_2618. Please refer to the details as below: Steps: 1. Create a app and add all db cartridges. 2. Run "eval `ssh-agent`" and "ssh-add ~/.ssh/id_rsa" on instance 3. Run "rhc-chk -d" on instance 4.Check the generated log file. Results: All db passwords are displayed as "************" below: embedded: mongodb-2.2: password: "************" info: "Connection URL: mongodb://127.0.252.1:27017/" database_name: app1 username: admin connection_url: mongodb://127.0.252.1:27017/ postgresql-8.4: password: "************" info: "Connection URL: postgresql://127.0.252.1:5432/" database_name: app1 username: admin connection_url: postgresql://127.0.252.1:5432/ mysql-5.1: password: "************" info: "Connection URL: mysql://127.0.252.1:3306/" database_name: app1 username: admin connection_url: mysql://127.0.252.1:3306/ Also attached the log file with details for your reference. Thanks.
Created attachment 667072 [details] rhc-chk log
And the fixed version is rhc-1.3.2+ for this verification. Thanks.