kubeconfig files are saved as world readable in /tmp #854

jgreat · 2020-09-10T23:03:59Z

Describe the bug

Looks like Lens is saving kubeconfg files with world readable permissions in /tmp. This could leak credentials to other system users.

/tmp at ☸️ staging  
➜ ls -la | grep kubeconfig                
-rw-rw-r--  1 jgreat jgreat  1170 Sep 10 17:33 0xs1firxzfj-d36vse1mj79-kubeconfig
-rw-rw-r--  1 jgreat jgreat  1160 Sep 10 17:48 1gle5yr5o47-mlbbgotjp6-kubeconfig
-rw-rw-r--  1 jgreat jgreat  1160 Sep 10 17:33 2j21565sn4e-m966bthn18l-kubeconfig
-rw-rw-r--  1 jgreat jgreat  1170 Sep 10 17:48 4ne574lnwc-h5r8ffk7m8s-kubeconfig
-rw-rw-r--  1 jgreat jgreat  1170 Sep 10 17:33 4vk4ye483kq-tvdrsrcylbg-kubeconfig
-rw-rw-r--  1 jgreat jgreat   483 Sep 10 17:33 5g8tmwjgyn-3dv3qomk466-kubeconfig
-rw-rw-r--  1 jgreat jgreat  1160 Sep 10 17:33 7pr5n1vt6j-gsa72ii1udh-kubeconfig
-rw-rw-r--  1 jgreat jgreat   483 Sep 10 17:33 cac9zqb1drq-bbezloppd2-kubeconfig
-rw-rw-r--  1 jgreat jgreat   501 Sep 10 17:33 encmbvw1xyr-8ktrmi7k9je-kubeconfig
-rw-rw-r--  1 jgreat jgreat   483 Sep 10 17:48 jawgbkqctur-1zdyjpil7dv-kubeconfig
-rw-rw-r--  1 jgreat jgreat   501 Sep 10 17:33 jouow0wymx-nbopfk4btee-kubeconfig
-rw-rw-r--  1 jgreat jgreat   501 Sep 10 17:33 m53bn3w57so-lq4rfkraln-kubeconfig
-rw-rw-r--  1 jgreat jgreat   483 Sep 10 17:33 r4fbpm11yjd-th9v1qj9xd-kubeconfig
-rw-rw-r--  1 jgreat jgreat  1160 Sep 10 17:33 s45bllh1wm8-gk2rtbt3stg-kubeconfig
-rw-rw-r--  1 jgreat jgreat   501 Sep 10 17:48 u9dmmzg0ug-p5fqzkgbnu-kubeconfig
-rw-rw-r--  1 jgreat jgreat  1170 Sep 10 17:33 ypdv9qykqmh-7ie4eca9104-kubeconfig

To Reproduce

Exit lens and clear out any existing kubeconfig files in /tmp

rm /tmp/*-kubeconfig

Start lens and connect to any cluster. New entries will show up in /tmp.

ls -la /tmp | grep kubeconfig

Expected behavior

Don't save sensitive credentials in shared system directories with world readable permissions.

Screenshots

N/A

Environment (please complete the following information):

Lens Version: 3.5.3
OS: Linux - "Pop!_OS 20.04 LTS"
Installation method: snap

Logs:

(process:302643): Gtk-WARNING **: 18:02:50.917: Locale not supported by C library.
	Using the fallback 'C' locale.
info: SNAP env is defined, updater is disabled
warn: PrometheusLens: failed to list services: services "prometheus" not found
warn: PrometheusLens: failed to list services: services "prometheus" not found
warn: PrometheusLens: failed to list services: services "prometheus" not found
warn: PrometheusLens: failed to list services: services "prometheus" not found
info: using lens as prometheus provider
info: using lens as prometheus provider

Kubeconfig:

N/a

Additional context

When I add cluster to lens, I copy and paste kubeconfigs into the custom dialog box. I don't merge context into the user default ${HOME}/.kube/config

The text was updated successfully, but these errors were encountered:

jakolehm · 2020-09-11T12:38:30Z

This might be already fixed in 3.6 pre-releases, needs to be verified. /cc @nevalla @jim-docker @Nokel81

nevalla · 2020-09-11T12:50:58Z

Yes. This is fixed already in master. Last bits were merged today (#857) and will be shipped in the next 3.6 rc.

jim-docker · 2020-09-11T12:52:46Z

duplicate of #655

jakolehm added the bug Something isn't working label Sep 11, 2020

nevalla closed this as completed Sep 11, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

kubeconfig files are saved as world readable in /tmp #854

kubeconfig files are saved as world readable in /tmp #854

jgreat commented Sep 10, 2020

jakolehm commented Sep 11, 2020

nevalla commented Sep 11, 2020

jim-docker commented Sep 11, 2020

kubeconfig files are saved as world readable in /tmp #854

kubeconfig files are saved as world readable in /tmp #854

Comments

jgreat commented Sep 10, 2020

jakolehm commented Sep 11, 2020

nevalla commented Sep 11, 2020

jim-docker commented Sep 11, 2020