[Openstack-security] Credentials in clear text

Adam Lawson alawson at aqorn.com
Mon Apr 21 23:46:30 UTC 2014 

My initial concern is specific to Swift and gaining global access to all
data by virtue of having access to a single proxy node. It seems more than
access to system resources but a flaw in how data is controlled (and
passwords are controlled).


*Adam Lawson*
AQORN, Inc.
427 North Tatnall Street
Ste. 58461
Wilmington, Delaware 19801-2230
Toll-free: (844) 4-AQORN-NOW
Direct: +1 (302) 268-6914



On Mon, Apr 21, 2014 at 4:41 PM, Bryan D. Payne <bdpayne at acm.org> wrote:

> This would be a nice hardening step, but if you have sudo on the box
> there's a lot of things you can do see.  This is just the tip of the
> iceberg.  For example, access to the backend db?  Access to traffic on the
> network / unix sockets / etc?  Access to logs.
>
> I am not aware of any current efforts to mask this information from the
> config files.  But that doesn't mean it's not happening.  If someone is
> aware of such an effort, I'd certainly be interested in learning more about
> it.
>
> Cheers,
> -bryan
>
>
>
>
> On Mon, Apr 21, 2014 at 4:26 PM, Adam Lawson <alawson at aqorn.com> wrote:
>
>> Have .conf files containing credentials and tokens been addressed or
>> being addressed? Seems there are a lot of keys to the kingdom clearly
>> visible to staff who have access to systems for day-to-day admin work but
>> don't/shouldn't be able to view them. If they have sudo access, they have
>> everything they need to get where they don't belong. Really strikes me as
>> an obvious audit issue...
>>
>>
>> *Adam Lawson*
>> AQORN, Inc.
>> 427 North Tatnall Street
>> Ste. 58461
>> Wilmington, Delaware 19801-2230
>> Toll-free: (844) 4-AQORN-NOW
>> Direct: +1 (302) 268-6914
>>
>>
>> _______________________________________________
>> Openstack-security mailing list
>> Openstack-security at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140421/4f3d4df2/attachment.html>

More information about the Openstack-security mailing list