On Sun, 2014-11-30 at 13:43 +0000, Richard W.M. Jones wrote: > On Fri, Nov 28, 2014 at 07:39:47AM +0100, Jakub Filak wrote: > > The discussion I mentioned above was primarily about OpenStack (but the > > participants also expressed concerns about sending 'environ' to Bugzilla > > at all), where people are regularly storing their passwords and tokens > > as environment variables. > > Yes unfortunately OpenStack does by default encourage people to source > a 'keystonerc_admin' file which contains authentication tokens. The > file will look something like this: > > export OS_USERNAME=admin > export OS_TENANT_NAME=admin > export OS_PASSWORD=mysecretpassword > export OS_AUTH_URL=http://127.0.0.1:35357/v2.0/ > > For a public cloud, knowing those values could give anyone access to > the account. > > How about having abrt just remove or scrub all variables that start > with /^OS_/ ? I know it's nasty to have application-specific > treatment of environment variables like this, but the number of > applications that pass auth information through environment variables > is small. > > For Amazon EC2 you'd want to scrub /^AWS_/ Some time ago I've run a search against Bugzilla and found a large numbers of actual EC2 credentials there after I almost fell victim to this myself. So, yes, this IS a very actual issue. I find it perfectly possible that someone else could do the same search and at the same time I find it naive to assume everyone finds it inappropriate to access the affected systems. ABRT itself marked the reports potentially sensitive ("SECRET" in the environment variable). The reporters did not apparently mind and I know it's easy to make the mistake. PS: I contacted everyone affected at the time so that they change their credentials. Some of the reports were rather old and the credentials still worked! Rotate your credentials regularly! Lubo -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
