Red Hat Bugzilla – Bug 888100
rhc-chk -d displays database admin user's password.
Last modified: 2015-05-14 22:10:29 EDT
Description of problem:
While debugging user environments over IRC, we often request the output to certain commands that end up being viewable by everyone on #openshift. We recently found the 'rhc-chk -d' will display the user's database password. We should obfuscate it.
The logs should have database information (as well as any other value indicated as "password") hidden, like this:
password: ! 'password: length 12 starting with YQ'
info: ! 'Connection URL: mysql://127.0.250.129:3306/'
Password should be "***" now.
This still exposes the password length:
self[k] = "*" * v.length
it would be much better to assign a static length of ********'s in case the user has a very short password, this will let the attacker know that brute forcing it is possible.
Tested on devenv_2613
1. Create apps and embed db cartridges
2. run "rhc-chk -d"
3. check log file
db passwords are still exposed, see attachment
info: "Connection URL: mysql://127.1.2.129:3306/"
Created attachment 666571 [details]
Thank you for raising that point. Here's a new pull request to address it: https://github.com/openshift/rhc/pull/264
Where did you run 'rhc-chk'? The image devenv_2613 has the change needed, but the machine on which you ran 'rhc-chk' might not. The 'rhc' gem has not been released, so you'll have to either try it from source, or run it on the image itself.
This bug has been verified and fixed on devenv_2618. Please refer to the details as below:
1. Create a app and add all db cartridges.
2. Run "eval `ssh-agent`" and "ssh-add ~/.ssh/id_rsa" on instance
3. Run "rhc-chk -d" on instance
4.Check the generated log file.
All db passwords are displayed as "************" below:
info: "Connection URL: mongodb://127.0.252.1:27017/"
info: "Connection URL: postgresql://127.0.252.1:5432/"
info: "Connection URL: mysql://127.0.252.1:3306/"
Also attached the log file with details for your reference.
Created attachment 667072 [details]
And the fixed version is rhc-1.3.2+ for this verification. Thanks.