On Mon, Dec 01, 2014 at 03:18:36PM +0100, Zbigniew Jędrzejewski-Szmek wrote: > On Sun, Nov 30, 2014 at 01:43:39PM +0000, Richard W.M. Jones wrote: > > On Fri, Nov 28, 2014 at 07:39:47AM +0100, Jakub Filak wrote: > > > The discussion I mentioned above was primarily about OpenStack (but the > > > participants also expressed concerns about sending 'environ' to Bugzilla > > > at all), where people are regularly storing their passwords and tokens > > > as environment variables. > > > > Yes unfortunately OpenStack does by default encourage people to source > > a 'keystonerc_admin' file which contains authentication tokens. The > > file will look something like this: > > > > export OS_USERNAME=admin > > export OS_TENANT_NAME=admin > > export OS_PASSWORD=mysecretpassword > > export OS_AUTH_URL=http://127.0.0.1:35357/v2.0/ > > > For Amazon EC2 you'd want to scrub /^AWS_/ > Would it be enough to scrub OS_PASSWORD? We could filter out *PASSWORD* > without gathering 50 cases. While it might be a good idea to also scrub all *PASSWORD* environment strings, this isn't sufficient for AWS. AWS has two environment variables (AWS_ACCESS_KEY and AWS_SECRET_KEY) which are both sensitive. Also OS_USERNAME and OS_TENANT_NAME and even OS_AUTH_URL are somewhat sensitive (less so than OS_PASSWORD of course) since they reveal that a service exists, its location, and potential usernames to try bruteforcing. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-df lists disk usage of guests without needing to install any software inside the virtual machine. Supports Linux and Windows. http://people.redhat.com/~rjones/virt-df/ -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
