Bug 535601 (RHQ-227) - Obfuscate DB password stored in rhq-server.properties
Summary: Obfuscate DB password stored in rhq-server.properties
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: RHQ-227
Product: RHQ Project
Classification: Other
Component: Core Server
Version: 1.0
Hardware: All
OS: All
medium
medium
Target Milestone: ---
: ---
Assignee: Heiko W. Rupp
QA Contact: Corey Welton
URL: http://jira.rhq-project.org/browse/RH...
Whiteboard:
Depends On:
Blocks: 577033
TreeView+ depends on / blocked
 
Reported: 2008-04-03 16:26 UTC by Ian Springer
Modified: 2018-10-27 16:16 UTC (History)
7 users (show)

Fixed In Version: 2.4
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-08-12 16:51:21 UTC
Embargoed:

Attachments (Terms of Use)

Description Ian Springer 2008-04-03 16:26:00 UTC
Comment 1 Charles Crouch 2008-04-07 22:58:28 UTC 
This was the case in 1.4 right? 
At a minimum we need to doc this so people know to control access to this file
Comment 2 Heiko W. Rupp 2008-04-11 13:07:10 UTC 
This page shows how this could work:
http://wiki.jboss.org/wiki/EncryptingDataSourcePasswords

But at the end, when the password to encrypt is stored with in a Java class, it is only obsfuscating the password for the casual lurker. Those that really want to get access to the db via that password and access to RHQ will also be able to read that above Wiki page ...
Comment 3 Heiko W. Rupp 2008-04-14 14:13:15 UTC 
We discussed not to implement it, as it is security by obscurity and rather document the behaviour and to secure access the rhq-server.properties file.
Comment 4 Heiko W. Rupp 2008-04-14 14:28:41 UTC 
Documented.
Comment 5 Ian Springer 2008-05-02 15:22:17 UTC 
Reopening this, so we can address it in a future release.
Comment 6 Greg Hinkle 2008-07-10 18:53:03 UTC 
Not going to make the 1.1 release
Comment 7 Red Hat Bugzilla 2009-11-10 21:01:22 UTC 
This bug was previously known as http://jira.rhq-project.org/browse/RHQ-227
Comment 9 John Mazzitelli 2010-03-22 21:23:39 UTC 
I think we need to avoid doing anything if all we are going to do is implement "security by obscurity" which everyone knows is worse than no security because it lulls people into a sense of "false security".

rhq-server.properties needs to be locked down by the people that install the software.
Comment 11 Charles Crouch 2010-03-23 02:15:07 UTC 
Mazz, the idea is to make it harder for casual viewers of the rhq-server.properties file to immediately have access to the RHQ database, i.e. an extract hoop for someone to jump through which also may indicate to them they are doing something they shouldn't. Somebody determined to attack the system will still be able to gain access to the db if they have read access to the rhq-server.properties but obfuscating the password will prevent casual users from wondering into the RHQ database just because they can.

I'm changing the title of this jira to make it clearer we're only going to support obfuscation.
Comment 14 Heiko W. Rupp 2010-03-26 12:51:59 UTC 
First cut is in a32db89465af384df8d30b3667f4f545d9893105 in master
Comment 15 Heiko W. Rupp 2010-03-26 13:31:04 UTC 
Additional fix in 1e8fb58
Comment 16 Heiko W. Rupp 2010-03-26 14:31:28 UTC 
Release note:

from RHQ 3.0.0.B05 on passwords for db access will always be encrypted when installing the server. The encrypted password is stored in bin/rhq-server.properties in the property
rhq.server.database.password

If the database password is upgraded, it also needs to be changed in this property.
To generate a new password, the provided scripts $RHQ_SERVER_BIN/generate-db-password.{sh,bat}
can be used by giving the db-password as argument like this:

$ bin/generate-db-password.sh test
Encoded password: 5..6b8b45e01...e
Comment 17 Ian Springer 2010-03-26 14:42:37 UTC 
> $ bin/generate-db-password.sh test

Passing the password as a command-line arg has a couple security issues:

1) Someone looking over the user's shoulder could see the password.
2) Someone could run "ps" and see the password.

I'd suggest adding support to the script for reading the password from stdin, e.g.:

if [ $# -eq 0 ]; then
    read -p "Enter the DB password: " -s DB_PASSWORD
    
    # 2) may be an issue here too - depends how you're encrypting the password
    # encrypt $DB_PASSWORD     
fi
Comment 18 Larry O'Leary 2010-03-26 15:08:06 UTC 
(In reply to comment #17)
> > $ bin/generate-db-password.sh test
> 
> Passing the password as a command-line arg has a couple security issues:
> 
> 1) Someone looking over the user's shoulder could see the password.
> 2) Someone could run "ps" and see the password.
> 
> I'd suggest adding support to the script for reading the password from stdin,

Reading the password from stdin won't fix 2) with the current implementation as it is just passed into the JVM and would still be exposed on the command line.

There are a couple ways around this: 

 2a) Use a Java class to do the prompting
 2b) Offer the option to store the plain-text password in a file and have a Java class read the file and delete it when it is done

In either case, it will require the plain-text password to be handled in the JVM and not within the shell/command environment.

Of course, this is a common issue with password handling.  As the process is short lived, it has become an acceptable practice to just pass it in as an argument and simply realize the associated security risk.  An alternative would be nice though for use within those untrusted environments.
Comment 22 Heiko W. Rupp 2010-03-29 12:23:13 UTC 
Windows bat script fix in b0140c2
Comment 25 Corey Welton 2010-03-30 14:28:14 UTC 
QA Verified.
Comment 26 Corey Welton 2010-04-01 14:39:29 UTC 
Moving this back to ON_QA as there's a few more tests I want to consider.
Comment 27 Corey Welton 2010-06-02 13:41:49 UTC 
QA Verifying.  I think it is safe to close this out at this point.
Comment 28 Corey Welton 2010-08-12 16:51:21 UTC 
Mass-closure of verified bugs against JON.
Note You need to log in before you can comment on or make changes to this bug.