[Openstack] password in clear text

Clint Byrum clint at fewbar.com
Wed Mar 23 20:18:23 UTC 2016


Excerpts from Tim Bell's message of 2016-03-23 11:53:38 -0700:
> 
> On 23/03/16 18:41, "Clint Byrum" <clint at fewbar.com> wrote:
> 
> >Excerpts from Tim Bell's message of 2016-03-23 09:17:20 -0700:
> >> 
> >> The difficulty with the environment variables is that the administrator of the box you are logged into can read the environment using ps auxwwww.
> >> 
> >> There has been some work done to support storing all the variables in a file (which would be an environment variable) such that the CLIs read from the file rather than needing it in the environment. This at least minimises the access to the home directory file servers rather than the root admin on the box you are using.
> >> 
> >
> >This does no such thing. The admin can read every single byte of RAM
> >in your process space, trace your library calls, and impersonate you to
> >get the same filesystem access. You have to trust the admins of systems
> >you are making client calls from. There is _no_ way around that. This is
> >one reason to want REST API's, so you can have an end-to-end encrypted
> >conversation with the REST API from the device you are certain is secure,
> >over a network and through systems you are not certain is secure.
> 
> Giving someone access to a kerberos key valid for 24 hours based on tbeir ability to read every byte of my internal process space is very different from someone trivially running ps auxwww to get the list of people and tbeir passwords which are generally valid for months.
> 
> While there is no guaranteed way round it, we should not make it so easy and for so long.
> 

Environment variables aren't visible in 'ps auxwww', though they are in
/proc/$pid/environ, which is only visible to the owning user and root,
so that's not quite as terrible as the picture painted.

The thing I was respoding to wasn't Kerberos. Oh please great deity of
system administration, bring all OpenStack users actual Kerberos, which
would in fact be a huge improvement.

I was responding to "There has been some work done to support storing
all the variables in a file". Wherever those variables are read into,
which is, process space, is exactly equivalent to environment variables.




More information about the Openstack mailing list