[Openstack] password in clear text
Clint Byrum
clint at fewbar.com
Wed Mar 23 17:41:38 UTC 2016
Excerpts from Tim Bell's message of 2016-03-23 09:17:20 -0700:
>
> The difficulty with the environment variables is that the administrator of the box you are logged into can read the environment using ps auxwwww.
>
> There has been some work done to support storing all the variables in a file (which would be an environment variable) such that the CLIs read from the file rather than needing it in the environment. This at least minimises the access to the home directory file servers rather than the root admin on the box you are using.
>
This does no such thing. The admin can read every single byte of RAM
in your process space, trace your library calls, and impersonate you to
get the same filesystem access. You have to trust the admins of systems
you are making client calls from. There is _no_ way around that. This is
one reason to want REST API's, so you can have an end-to-end encrypted
conversation with the REST API from the device you are certain is secure,
over a network and through systems you are not certain is secure.
More information about the Openstack
mailing list