<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>As Bryan mentioned already, a user with access to production systems, particularly one with sudo/root access – is in an incredibly privileged position. On its own this is an auditing issue but it’s a recognised one. In most deployments subject to auditing (i.e. production) it’s likely that compensating controls such as gated access, user logging, MAC etc. are all in place to control the risk.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'> <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>It’s a messy problem to deal with. I’ve seen approaches where the process and configuration file are both owned by an elevated user, once the process has loaded the configuration file it drops privs and can no longer read the file, this can be useful as a mechanism for avoiding directory traversal in web services etc I’m not sure how viable an approach this would be with something like Swift.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>-Rob<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> Bryan D. Payne [mailto:bdpayne@acm.org] <br><b>Sent:</b> 22 April 2014 01:16<br><b>To:</b> Adam Lawson<br><b>Cc:</b> openstack-security@lists.openstack.org<br><b>Subject:</b> Re: [Openstack-security] Credentials in clear text<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>This is fair. I'm not personally familiar with Swift, so I will let others chime in on that.<o:p></o:p></p><div><p class=MsoNormal>-bryan<o:p></o:p></p></div></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On Mon, Apr 21, 2014 at 4:47 PM, Adam Lawson <<a href="mailto:alawson@aqorn.com" target="_blank">alawson@aqorn.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><p class=MsoNormal>Preventing access to passwords for the purpose of preventing unauthorized access to data as another way I look at it.<o:p></o:p></p></div><div><div><p class=MsoNormal><br clear=all><o:p></o:p></p><div><div><div><div><p class=MsoNormal><b><i><span style='font-family:"Arial","sans-serif"'><br>Adam Lawson</span></i></b><span style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p></div><div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:#666666'>AQORN, Inc.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:#666666'>427 North Tatnall Street<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:#666666'>Ste. 58461<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:#666666'>Wilmington, Delaware 19801-2230<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:#666666'>Toll-free: (844) 4-AQORN-NOW<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:#666666'>Direct: </span><a href="tel:%2B1%20%28302%29%20268-6914" target="_blank"><span style='font-family:"Arial","sans-serif"'>+1 (302) 268-6914</span></a><span style='font-family:"Arial","sans-serif";color:#666666'><o:p></o:p></span></p></div></div></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><img border=0 width=120 height=49 id="_x0000_i1027" src="http://www.aqorn.com/images/logo.png" alt="http://www.aqorn.com/images/logo.png"></span><span style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p></div><div><div><div><p class=MsoNormal>On Mon, Apr 21, 2014 at 4:46 PM, Adam Lawson <<a href="mailto:alawson@aqorn.com" target="_blank">alawson@aqorn.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><p class=MsoNormal>My initial concern is specific to Swift and gaining global access to all data by virtue of having access to a single proxy node. It seems more than access to system resources but a flaw in how data is controlled (and passwords are controlled).<o:p></o:p></p></div><div><div><p class=MsoNormal><br clear=all><o:p></o:p></p><div><div><div><div><p class=MsoNormal><b><i><span style='font-family:"Arial","sans-serif"'><br>Adam Lawson</span></i></b><span style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p></div><div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:#666666'>AQORN, Inc.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:#666666'>427 North Tatnall Street<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:#666666'>Ste. 58461<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:#666666'>Wilmington, Delaware 19801-2230<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:#666666'>Toll-free: (844) 4-AQORN-NOW<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:#666666'>Direct: </span><a href="tel:%2B1%20%28302%29%20268-6914" target="_blank"><span style='font-family:"Arial","sans-serif"'>+1 (302) 268-6914</span></a><span style='font-family:"Arial","sans-serif";color:#666666'><o:p></o:p></span></p></div></div></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><img border=0 width=120 height=49 id="_x0000_i1026" src="http://www.aqorn.com/images/logo.png" alt="http://www.aqorn.com/images/logo.png"></span><span style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p></div><div><div><div><p class=MsoNormal>On Mon, Apr 21, 2014 at 4:41 PM, Bryan D. Payne <<a href="mailto:bdpayne@acm.org" target="_blank">bdpayne@acm.org</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><p class=MsoNormal>This would be a nice hardening step, but if you have sudo on the box there's a lot of things you can do see. This is just the tip of the iceberg. For example, access to the backend db? Access to traffic on the network / unix sockets / etc? Access to logs.<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I am not aware of any current efforts to mask this information from the config files. But that doesn't mean it's not happening. If someone is aware of such an effort, I'd certainly be interested in learning more about it.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Cheers,<o:p></o:p></p></div><div><p class=MsoNormal>-bryan<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><div><div><p class=MsoNormal>On Mon, Apr 21, 2014 at 4:26 PM, Adam Lawson <<a href="mailto:alawson@aqorn.com" target="_blank">alawson@aqorn.com</a>> wrote:<o:p></o:p></p></div></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><div><div><p class=MsoNormal>Have .conf files containing credentials and tokens been addressed or being addressed? Seems there are a lot of keys to the kingdom clearly visible to staff who have access to systems for day-to-day admin work but don't/shouldn't be able to view them. If they have sudo access, they have everything they need to get where they don't belong. Really strikes me as an obvious audit issue...<span style='color:#888888'><o:p></o:p></span></p><div><div><p class=MsoNormal><span style='color:#888888'><br clear=all><o:p></o:p></span></p><div><div><div><div><p class=MsoNormal><b><i><span style='font-family:"Arial","sans-serif";color:#888888'><br>Adam Lawson</span></i></b><span style='font-family:"Arial","sans-serif";color:#888888'><o:p></o:p></span></p></div><div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:#666666'>AQORN, Inc.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:#666666'>427 North Tatnall Street<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:#666666'>Ste. 58461<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:#666666'>Wilmington, Delaware 19801-2230<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:#666666'>Toll-free: (844) 4-AQORN-NOW<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:#666666'>Direct: </span><a href="tel:%2B1%20%28302%29%20268-6914" target="_blank"><span style='font-family:"Arial","sans-serif"'>+1 (302) 268-6914</span></a><span style='font-family:"Arial","sans-serif";color:#666666'><o:p></o:p></span></p></div></div></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:#888888'><img border=0 width=120 height=49 id="_x0000_i1025" src="http://www.aqorn.com/images/logo.png" alt="http://www.aqorn.com/images/logo.png"></span><span style='font-family:"Arial","sans-serif";color:#888888'><o:p></o:p></span></p></div></div></div></div></div></div><p class=MsoNormal><o:p> </o:p></p></div></div><p class=MsoNormal style='margin-bottom:12.0pt'>_______________________________________________<br>Openstack-security mailing list<br><a href="mailto:Openstack-security@lists.openstack.org" target="_blank">Openstack-security@lists.openstack.org</a><br><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><o:p></o:p></p></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></div></body></html>