-
Notifications
You must be signed in to change notification settings - Fork 247
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Confidential values leaked into log file in debug mode #2967
Comments
Run init/default/998_dump_variables.sh only in debugscripts mode where the 'set -x' output in general already reveals possibly confidential information and additionally suppress output that contains 'pass' or 'key' or 'crypt' (ignore case) to skip output e.g. for BACKUP_PROG_CRYPT_KEY or SSH_ROOT_PASSWORD or LUKS_CRYPTSETUP_OPTIONS cf. #2967
95f3082 |
I have two conflicting thoughts about this:
Personally, I'd prefer option 1) (full dump) and expect users to check the output they send us. We could also add another warning to our GitHub issue template to remind users to scrape secrets from the debug log, if they set any. For reference, other tools like for example the @rear/contributors other opinions? |
maintain a list of variables that contain confidential values |
In init/default/998_dump_variables.sh give a hint that secrets are skipped, cf. #2967 (comment)
Sleeping on it made it even more critical at least for me: Now I have legal liability worries about it, at least I think in general when someone does something I think in particular when making software this means In this case init/default/998_dump_variables.sh Furthermore - and this is the crucial point for me I think - at least as far as I understand general principles |
Disable init/default/998_dump_variables.sh because of legal liability worries until #2967 is solved
With |
@rear/contributors The generic problem is that debug information may in general |
@jsmeix I strongly disagree with this approach. At some level ReaR debugging must be "complete", that is normal for every software. In any case, we won't be able to find a 100% "safe" solution here, as users can add additional variables with potential secrets. About your worries under German law: That is why ReaR is shipped under the GPL where we explicitly shed responsiilities for what ReaR does after a user installs and uses it, like any other Open Source software. As long as there is no obvious malicious intent we are safe. Malicious intent could be a piece of code that uploads all users' secrets to a website while obfuscating what it does. If it helps I'm happy to expand the variable dump feature to mask out all BTW, your check for variable naming should probably be expanded to only match on the variable names and not content. |
For inspiration, I checked what Ansible does - there are similar concerns, because it is easy to show all Ansible module call parameters (including values) during playbook execution (merely by requesting verbose output), and secrets are passed to modules using parameters, so they would leak quite often. Ansible allows marking some module parameters as
We would use upper case of course, and we should add The question about debugscript/-D/set -x is a more difficult one: I see @jsmeix changed code to protect against that in #2156, but doing it for all such variables will be difficult. # ... insert it between the single quotes of the following line:
# { TTY_ROOT_PASSWORD=''; } 2>/dev/null
# NOTE: stderr is redirected in the above line to avoid exposing the password hash
# in the log file when ReaR runs in debugscript mode. but there is also this comment # In debugscript mode only scripts sourced by the Source function in lib/framework-functions.sh
# are run with 'set -x' but default.conf is sourced by usr/sbin/rear directly.
# See the comment of the UserInput function in lib/_input-output-functions.sh
# how to keep things confidential when usr/sbin/rear is run in debugscript mode which seem contradictory. Regarding
this makes some sense, as an example Ansible also shows all values when you debug it itself by setting |
OK, how about we add a new option |
In general individual agreements (like GPL) In a specific case one needs to get a legal judgement Without a court decision about this particular case |
@schlomo In the past I never needed all variables values In the past the 'set -x' debugscript mode output If I needed even more details I could easily add |
If I'm the only one who would like to see all variables in debug logs then I'm fine with removing that script altogether and relying on on-demand hacks if needed. |
I have felt a need for such a script myself some time ago (and not for debugging, so I would even introduce a separate workflow), so I would keep it, if the secrets issue can be addressed sufficiently. |
I asked colleagues about their general thoughts regarding A colleague told me about this
which matches what @schlomo suggests in Currently I think a command line option is the best way My reasoning: My reasoning is primarily about legal things and usability: A command line option must be explicitly typed in by the user. A command line option provides better usability
Finally with a generic command line option
could make sense even in normal (non-debug) node |
@schlomo @pcahyna @gdha |
I think the idea is very good. For debugging purposes, the user or developer can see the executed command, if activated. @jsmeix |
@codefritzel |
Ouch!
leaks $SCRET_ARGUMENT when COMMAND failed because
outputs into the log file in any case because
So we also need the 'LogSecret' function. |
In sbin/rear added --expose-secrets option and SECRET_OUTPUT_DEV, see #2967
In #3006
Nothing is documented yet in "rear help" or "man rear" |
New --expose-secrets option plus SECRET_OUTPUT_DEV: In sbin/rear added --expose-secrets option and SECRET_OUTPUT_DEV. Script code usage example: { SECRET COMMAND ; } 2>>/dev/$SECRET_OUTPUT_DEV In lib/_input-output-functions.s added LogSecret function. Script code usage example: { LogSecret "secret text" || Log "public text" ; } 2>>/dev/$SECRET_OUTPUT_DEV Both are requirements to solve #2967
With #3006 merged
with
|
Use '{ SECRET COMMAND ; } 2>>/dev/$SECRET_OUTPUT_DEV' instead of '{ SECRET COMMAND ; } 2>/dev/null' because '{ ... ; } 2>>/dev/$SECRET_OUTPUT_DEV' makes debugging still possible for the user by calling rear with the '--expose-secrets' option and SECRET_OUTPUT_DEV makes it clear which redirections are explicitly meant to hide secrets to distinguish them from usual unwanted output discard via '2>/dev/null' see #3006 and #2967
With #3034 merged also |
Overhauled init/default/998_dump_variables.sh so that its intended functionality happens only when explicitly requested by the user to avoid that possibly confidential values are output into the log file by accident, see #2967
As far as I see |
Overhauled init/default/998_dump_variables.sh so that its intended functionality happens only when explicitly requested by the user by calling 'rear' with the 'expose-secrets' option to avoid that possibly confidential values are output into the log file by accident, see #2967
@jsmeix I just noticed that The manpage actually does mention it, so I was wondering. |
Added missing "-e --expose-secrets" description to lib/help-workflow.sh see #2967 (comment)
The help workflow was simply forgotten. I fixed it via |
current GitHub master code
excerpt:
Since
b83059a
there is - by the way - a new
init/default/998_dump_variables.sh
which is unrelated to what the commit message describes.
The new script does currently only
which outputs in debug modes also confidential
variable values into the ReaR log file like
In particular BACKUP_PROG_CRYPT_KEY is critical
because that new script foils my security/privacy
code enhancements that I did for BACKUP_PROG_CRYPT_KEY
see #2155
and #2156
The text was updated successfully, but these errors were encountered: