[Openstack-security] Credentials in clear text

Bryan D. Payne bdpayne at acm.org
Tue Apr 22 00:15:52 UTC 2014 

This is fair.  I'm not personally familiar with Swift, so I will let others
chime in on that.
-bryan


On Mon, Apr 21, 2014 at 4:47 PM, Adam Lawson <alawson at aqorn.com> wrote:

> Preventing access to passwords for the purpose of preventing unauthorized
> access to data as another way I look at it.
>
>
> *Adam Lawson*
> AQORN, Inc.
> 427 North Tatnall Street
> Ste. 58461
> Wilmington, Delaware 19801-2230
> Toll-free: (844) 4-AQORN-NOW
> Direct: +1 (302) 268-6914
>
>
>
> On Mon, Apr 21, 2014 at 4:46 PM, Adam Lawson <alawson at aqorn.com> wrote:
>
>> My initial concern is specific to Swift and gaining global access to all
>> data by virtue of having access to a single proxy node. It seems more than
>> access to system resources but a flaw in how data is controlled (and
>> passwords are controlled).
>>
>>
>> *Adam Lawson*
>> AQORN, Inc.
>> 427 North Tatnall Street
>> Ste. 58461
>> Wilmington, Delaware 19801-2230
>> Toll-free: (844) 4-AQORN-NOW
>> Direct: +1 (302) 268-6914
>>
>>
>>
>> On Mon, Apr 21, 2014 at 4:41 PM, Bryan D. Payne <bdpayne at acm.org> wrote:
>>
>>> This would be a nice hardening step, but if you have sudo on the box
>>> there's a lot of things you can do see.  This is just the tip of the
>>> iceberg.  For example, access to the backend db?  Access to traffic on the
>>> network / unix sockets / etc?  Access to logs.
>>>
>>> I am not aware of any current efforts to mask this information from the
>>> config files.  But that doesn't mean it's not happening.  If someone is
>>> aware of such an effort, I'd certainly be interested in learning more about
>>> it.
>>>
>>> Cheers,
>>> -bryan
>>>
>>>
>>>
>>>
>>> On Mon, Apr 21, 2014 at 4:26 PM, Adam Lawson <alawson at aqorn.com> wrote:
>>>
>>>> Have .conf files containing credentials and tokens been addressed or
>>>> being addressed? Seems there are a lot of keys to the kingdom clearly
>>>> visible to staff who have access to systems for day-to-day admin work but
>>>> don't/shouldn't be able to view them. If they have sudo access, they have
>>>> everything they need to get where they don't belong. Really strikes me as
>>>> an obvious audit issue...
>>>>
>>>>
>>>> *Adam Lawson*
>>>> AQORN, Inc.
>>>> 427 North Tatnall Street
>>>> Ste. 58461
>>>> Wilmington, Delaware 19801-2230
>>>> Toll-free: (844) 4-AQORN-NOW
>>>> Direct: +1 (302) 268-6914
>>>>
>>>>
>>>> _______________________________________________
>>>> Openstack-security mailing list
>>>> Openstack-security at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140421/230d2c17/attachment.html>

More information about the Openstack-security mailing list