Credentials exposed in environment variables and command-line arguments #2011
Comments
|
This has been discussed among the team and there's agreement that this is not an issue particular to Flux nor something that couldn't be addressed by security-conscious users:
However, one workflow that could be improved is to prompt the user for a token if it cannot be retrieved from the environment. This is what Terraform does. |
This change adds functionality to both, `bootstrap github` and `bootstrap gitlab` to prompt the user for the personal access tokens if those can't be derived from the shell environment. Echoing is turned off for better privacy. Instead of having to interactively type the token or manually paste it from the clipboard, users can also pipe it to Flux which comes in handy e.g. when executing Flux remotely over an SSH connection: ``` $ echo 'asdf' | flux bootstrap github ``` Otherwise, Flux will prompt the user: ``` $ flux bootstrap github Please type your GitHub personal access token: ``` Signed-off-by: Max Jonas Werner <mail@makk.es> closes fluxcd#2011
This change adds functionality to both, `bootstrap github` and `bootstrap gitlab` to prompt the user for the personal access tokens if those can't be derived from the shell environment. Echoing is turned off for better privacy. Instead of having to interactively type the token or manually paste it from the clipboard, users can also pipe it to Flux which comes in handy e.g. when executing Flux remotely over an SSH connection: ``` $ echo 'asdf' | flux bootstrap github ``` Otherwise, Flux will prompt the user: ``` $ flux bootstrap github Please type your GitHub personal access token: ``` closes fluxcd#2011 Signed-off-by: Max Jonas Werner <mail@makk.es>
This change adds functionality to both, `bootstrap github` and `bootstrap gitlab` to prompt the user for the personal access tokens if those can't be derived from the shell environment. Echoing is turned off for better privacy. Instead of having to interactively type the token or manually paste it from the clipboard, users can also pipe it to Flux which comes in handy e.g. when executing Flux remotely over an SSH connection: ``` $ echo 'asdf' | flux bootstrap github ``` Otherwise, Flux will prompt the user: ``` $ flux bootstrap github Please type your GitHub personal access token: ``` closes #2011 Signed-off-by: Max Jonas Werner <mail@makk.es>
This change adds functionality to both, `bootstrap github` and `bootstrap gitlab` to prompt the user for the personal access tokens if those can't be derived from the shell environment. Echoing is turned off for better privacy. Instead of having to interactively type the token or manually paste it from the clipboard, users can also pipe it to Flux which comes in handy e.g. when executing Flux remotely over an SSH connection: ``` $ echo 'asdf' | flux bootstrap github ``` Otherwise, Flux will prompt the user: ``` $ flux bootstrap github Please type your GitHub personal access token: ``` closes #2011 Signed-off-by: Max Jonas Werner <mail@makk.es>
This change adds functionality to both, `bootstrap github` and `bootstrap gitlab` to prompt the user for the personal access tokens if those can't be derived from the shell environment. Echoing is turned off for better privacy. Instead of having to interactively type the token or manually paste it from the clipboard, users can also pipe it to Flux which comes in handy e.g. when executing Flux remotely over an SSH connection: ``` $ echo 'asdf' | flux bootstrap github ``` Otherwise, Flux will prompt the user: ``` $ flux bootstrap github Please type your GitHub personal access token: ``` closes #2011 Signed-off-by: Max Jonas Werner <mail@makk.es>
Providing a mechanism to provide credentials without leaking them is a Flux concern.
That does not help against
That does not help against |
How far would you believe a tool consuming credentials should go trying to not leak them? I'd be interested to understand how tools like
Probably not. But shouldn't hiding other user's processes be taken care of by the OS? |
|
@johngmyers there's one more thing that might've sneaked by your attention: We're working on providing an interactive prompt for tokens as part of #2038 |
Such a tool should permit a way to pass the credentials other than through the environment and/or argv. For example, by providing a way to pass the credentials through a file, such as And any manifest referencing such a tool should pass credentials using such other mechanisms. (I have not found any such problems in Flux.)
Perhaps theoretically, but Linux doesn't do such hiding by default. Projects supporting Linux need to deal with Linux shortcomings.
This is good for interactive use, but not for things that are used in automation. On the other hand, it seems that |
@johngmyers I beg to differ as this new way of providing a token allows you to pass it in from stdin so you can e.g. tunnel the token through SSH without it being exposed anywhere on the receiving end. |
This change adds functionality to both, `bootstrap github` and `bootstrap gitlab` to prompt the user for the personal access tokens if those can't be derived from the shell environment. Echoing is turned off for better privacy. Instead of having to interactively type the token or manually paste it from the clipboard, users can also pipe it to Flux which comes in handy e.g. when executing Flux remotely over an SSH connection: ``` $ echo 'asdf' | flux bootstrap github ``` Otherwise, Flux will prompt the user: ``` $ flux bootstrap github Please type your GitHub personal access token: ``` closes fluxcd#2011 Signed-off-by: Max Jonas Werner <mail@makk.es>
Brought up by Ada Logics
The text was updated successfully, but these errors were encountered: