On Fri, Nov 28, 2014 at 07:39:47AM +0100, Jakub Filak wrote: > The discussion I mentioned above was primarily about OpenStack (but the > participants also expressed concerns about sending 'environ' to Bugzilla > at all), where people are regularly storing their passwords and tokens > as environment variables. Yes unfortunately OpenStack does by default encourage people to source a 'keystonerc_admin' file which contains authentication tokens. The file will look something like this: export OS_USERNAME=admin export OS_TENANT_NAME=admin export OS_PASSWORD=mysecretpassword export OS_AUTH_URL=http://127.0.0.1:35357/v2.0/ For a public cloud, knowing those values could give anyone access to the account. How about having abrt just remove or scrub all variables that start with /^OS_/ ? I know it's nasty to have application-specific treatment of environment variables like this, but the number of applications that pass auth information through environment variables is small. For Amazon EC2 you'd want to scrub /^AWS_/ Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into KVM guests. http://libguestfs.org/virt-v2v -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
