Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not log BACKUP_PROG_CRYPT_KEY value (issue 2155) #2156

Merged
merged 6 commits into from Jun 7, 2019
Merged

Do not log BACKUP_PROG_CRYPT_KEY value (issue 2155) #2156

merged 6 commits into from Jun 7, 2019

Conversation

jsmeix
Copy link
Member

@jsmeix jsmeix commented Jun 6, 2019

Separate the special case when BACKUP_PROG_CRYPT_ENABLED
with a BACKUP_PROG_CRYPT_KEY is used
from the usual case when it is not used.

Only when BACKUP_PROG_CRYPT_ENABLED with
a BACKUP_PROG_CRYPT_KEY is used do special stuff
(in particular redirect stderr to /dev/null for certain commands)
to avoid that the BACKUP_PROG_CRYPT_KEY value appears
in a log file in particular when set -x is set.

I think it is more important to not leak out user secrets into a log file
than having stderr error messages when a confidential command fails.

That separation caused "mostly duplicated" code parts, i.e. code parts
that are almost same - except the differences that are related to
the "BACKUP_PROG_CRYPT_ENABLED" case but I have no better idea
how to redirect stderr to /dev/null versus not redirect stderr to /dev/null
for the two cases in a clean way without making the code even more
complicated and oversophisticated than it already is.

By the way I also corrected the spelling typo
from debugscripts mode to debugscript mode
to match the spelling in "man rear" that reads

       -D
           debugscript mode ...

@jsmeix jsmeix added this to the ReaR v2.6 milestone Jun 6, 2019
@jsmeix jsmeix requested review from gdha and rmetrich June 6, 2019 10:35
@jsmeix jsmeix self-assigned this Jun 6, 2019
@jsmeix jsmeix requested a review from a team June 6, 2019 10:35
@jsmeix
Copy link
Member Author

jsmeix commented Jun 6, 2019
edited

My very first usage of BACKUP_PROG_CRYPT_ENABLED
with a BACKUP_PROG_CRYPT_KEY "just worked" for me.

Because in this case the whole backup command pipe
has stderr redirected to /dev/null the backup.log file
is rather empty in this case.

Here my whole backup.log for "rear -D mkbackup":

++ case "$(basename ${BACKUP_PROG})" in
+++ basename tar
++ set_tar_features
++ TAR_OPTIONS=
++ FEATURE_TAR_WARNINGS=
+++ get_version tar --version
+++ sed -rn 's/^[^0-9\.]*([0-9]+\.[-0-9a-z\.]+).*$/\1/p'
+++ head -1
+++ TERM=dumb
+++ tar --version
++ local tar_version=1.30
++ version_newer 1.30 1.23
++ v1list=(${1//[-.]/ })
++ local v1list
++ v2list=(${2//[-.]/ })
++ local v2list
++ local max=2
++ ((  2 < 2  ))
++ local pos
+++ seq 0 1
++ for pos in $(seq 0 $(( max -1 )))
++ ((  10#01 < 10#01  ))
++ ((  10#01 > 10#01  ))
++ for pos in $(seq 0 $(( max -1 )))
++ ((  10#030 < 10#023  ))
++ ((  10#030 > 10#023  ))
++ return 0
++ FEATURE_TAR_WARNINGS=y
++ TAR_OPTIONS=' --warning=no-xdev'
++ FEATURE_TAR_IS_SET=1
++ is_true yes
++ case "$1" in
++ return 0
+++ cat /tmp/rear.F2EnBRBZNh8dU9N/tmp/backup-include.txt
++ Log tar --warning=no-xdev --sparse --block-number --totals --verbose --no-wildcards-match-slash --one-file-system --ignore-failed-read --anchored --xattrs --xattrs-include=security.capability --xattrs-include=security.selinux --acls --gzip -X /tmp/rear.F2EnBRBZNh8dU9N/tmp/backup-exclude.txt -C / -c -f - / /root/rear.jsmeix/var/log/rear/rear-linux-44ml.log '|' /usr/bin/openssl des3 -salt -k BACKUP_PROG_CRYPT_KEY '|' dd of=/tmp/rear.F2EnBRBZNh8dU9N/outputfs/linux-44ml/backup.tar.gz
++ echo '2019-06-06 12:52:10.168472467 tar --warning=no-xdev --sparse --block-number --totals --verbose --no-wildcards-match-slash --one-file-system --ignore-failed-read --anchored --xattrs --xattrs-include=security.capability --xattrs-include=security.selinux --acls --gzip -X /tmp/rear.F2EnBRBZNh8dU9N/tmp/backup-exclude.txt -C / -c -f - / /root/rear.jsmeix/var/log/rear/rear-linux-44ml.log | /usr/bin/openssl des3 -salt -k BACKUP_PROG_CRYPT_KEY | dd of=/tmp/rear.F2EnBRBZNh8dU9N/outputfs/linux-44ml/backup.tar.gz'
2019-06-06 12:52:10.168472467 tar --warning=no-xdev --sparse --block-number --totals --verbose --no-wildcards-match-slash --one-file-system --ignore-failed-read --anchored --xattrs --xattrs-include=security.capability --xattrs-include=security.selinux --acls --gzip -X /tmp/rear.F2EnBRBZNh8dU9N/tmp/backup-exclude.txt -C / -c -f - / /root/rear.jsmeix/var/log/rear/rear-linux-44ml.log | /usr/bin/openssl des3 -salt -k BACKUP_PROG_CRYPT_KEY | dd of=/tmp/rear.F2EnBRBZNh8dU9N/outputfs/linux-44ml/backup.tar.gz
++ backup_prog_shortnames=("$(basename $(echo "$BACKUP_PROG" | awk '{ print $1 }'))" "$(basename $(echo "$BACKUP_PROG_CRYPT_OPTIONS" | awk '{ print $1 }'))" "$(basename $(echo "$SPLIT_COMMAND" | awk '{ print $1 }'))")
++++ awk '{ print $1 }'
++++ echo tar
+++ basename tar
++++ awk '{ print $1 }'
++++ echo '/usr/bin/openssl des3 -salt -k '
+++ basename /usr/bin/openssl
++++ awk '{ print $1 }'
++++ echo 'dd of=/tmp/rear.F2EnBRBZNh8dU9N/outputfs/linux-44ml/backup.tar.gz'
+++ basename dd
++ for index in ${!backup_prog_shortnames[@]}
++ '[' -n tar ']'
++ for index in ${!backup_prog_shortnames[@]}
++ '[' -n openssl ']'
++ for index in ${!backup_prog_shortnames[@]}
++ '[' -n dd ']'
++ is_true yes
++ case "$1" in
++ return 0
++ pipes_rc=(${PIPESTATUS[@]})
++ let index=3-1
++ '[' 2 -ge 0 ']'
++ rc=0
++ '[' 0 -ne 0 ']'
++ let index--
++ '[' 1 -ge 0 ']'
++ rc=0
++ '[' 0 -ne 0 ']'
++ let index--
++ '[' 0 -ge 0 ']'
++ rc=1
++ '[' 1 -ne 0 ']'
++ echo tar
++ echo 1
++ '[' 1 -eq 1 ']'
++ '[' tar '!=' tar ']'
++ exit 1

The only line that is not caused by set -x is

2019-06-06 12:52:10.168472467 tar --warning=no-xdev --sparse --block-number --totals --verbose --no-wildcards-match-slash --one-file-system --ignore-failed-read --anchored --xattrs --xattrs-include=security.capability --xattrs-include=security.selinux --acls --gzip -X /tmp/rear.F2EnBRBZNh8dU9N/tmp/backup-exclude.txt -C / -c -f - / /root/rear.jsmeix/var/log/rear/rear-linux-44ml.log | /usr/bin/openssl des3 -salt -k BACKUP_PROG_CRYPT_KEY | dd of=/tmp/rear.F2EnBRBZNh8dU9N/outputfs/linux-44ml/backup.tar.gz

i.e. the Log command output in
usr/share/rear/backup/NETFS/default/500_make_backup.sh

The recover.backup.tar.gz.*.restore.log looks a bit better
(with "rear -D recover")

++ case "$BACKUP_PROG" in
++ '[' -s /tmp/rear.jRWmBt9cjV4SAnM/tmp/restore-exclude-list.txt ']'
++ is_true yes
++ case "$1" in
++ return 0
++ Log 'dd if=/tmp/rear.jRWmBt9cjV4SAnM/outputfs/linux-44ml/backup.tar.gz | /usr/bin/openssl des3 -d -k  BACKUP_PROG_CRYPT_KEY | tar --block-number --totals --verbose --anchored' --xattrs --xattrs-include=security.capability --xattrs-include=security.selinux '--acls --gzip -C /mnt/local/ -x -f -'
++ echo '2019-06-06 14:26:20.803458550 dd if=/tmp/rear.jRWmBt9cjV4SAnM/outputfs/linux-44ml/backup.tar.gz | /usr/bin/openssl des3 -d -k  BACKUP_PROG_CRYPT_KEY | tar --block-number --totals --verbose --anchored --xattrs --xattrs-include=security.capability --xattrs-include=security.selinux --acls --gzip -C /mnt/local/ -x -f -'
2019-06-06 14:26:20.803458550 dd if=/tmp/rear.jRWmBt9cjV4SAnM/outputfs/linux-44ml/backup.tar.gz | /usr/bin/openssl des3 -d -k  BACKUP_PROG_CRYPT_KEY | tar --block-number --totals --verbose --anchored --xattrs --xattrs-include=security.capability --xattrs-include=security.selinux --acls --gzip -C /mnt/local/ -x -f -
block 3: ./
block 6: etc/
block 9: etc/fstab
block 13: etc/mtab
...

i.e. tons of tar output lines.

@jsmeix
Copy link
Member Author

jsmeix commented Jun 6, 2019

I think I can improve it so that only the actually confidential command
in the pipe has stderr redirected to /dev/null because redirection
in a pipe can be done individually for each command in the pipe.

E.g. on my SLES11 system

# ( set -x ; cat /etc/issue 1>&2 | { cat qqq ; } 2>/dev/null | cat /etc/os-release 1>&2 | { cat QQQ ; } 2>/dev/null )
+ cat /etc/issue

Welcome to SUSE Linux Enterprise Desktop 11 SP4  (i586) - Kernel \r (\l).


+ cat /etc/os-release
NAME="SLED"
VERSION="11.4"
VERSION_ID="11.4"
PRETTY_NAME="SUSE Linux Enterprise Desktop 11 SP4"
ID="sled"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sled:11:4"

and on my openSUSE Leap 15.0 system

# ( set -x ; cat /etc/issue 1>&2 | { cat qqq ; } 2>/dev/null | cat /etc/os-release 1>&2 | { cat QQQ ; } 2>/dev/null )
+ cat /etc/issue
+ cat /etc/os-release
Welcome to \S - Kernel \r (\l).


NAME="openSUSE Leap"
VERSION="15.0"
ID="opensuse-leap"
ID_LIKE="suse opensuse"
VERSION_ID="15.0"
PRETTY_NAME="openSUSE Leap 15.0"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:leap:15.0"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"

I use the subshell here only to encapsulate the set -x effect.

@jsmeix
Copy link
Member Author

jsmeix commented Jun 7, 2019

Now all works well for me
so that I like to merge it right now
unless there is an immediate objection.

@jsmeix jsmeix merged commit a60d619 into rear:master Jun 7, 2019
@jsmeix jsmeix deleted the do_not_log_BACKUP_PROG_CRYPT_KEY_value_issue2155 branch June 7, 2019 13:15
@jsmeix jsmeix mentioned this pull request Jun 7, 2019
Closed
@jsmeix jsmeix mentioned this pull request Jun 17, 2019
Closed
@jsmeix jsmeix mentioned this pull request Aug 7, 2019
Closed
@jsmeix jsmeix mentioned this pull request Oct 25, 2019
Closed
@jsmeix jsmeix mentioned this pull request Nov 25, 2019
Closed
@jsmeix jsmeix mentioned this pull request May 27, 2021
Closed
@jsmeix jsmeix mentioned this pull request Apr 5, 2023
Closed
@jsmeix jsmeix mentioned this pull request May 10, 2023
Merged
jsmeix added a commit that referenced this pull request May 11, 2023
@jsmeix
Update 04-scenarios.adoc
edd7097 
In doc/user-guide/04-scenarios.adoc
explain that when a command like
export VAR='secret_value'
is run on the original system, then one must ensure
to not keep that command in a shell history file.
This is an addedum to
#2156
which was triggered by what was done in
#2982
jsmeix added a commit that referenced this pull request May 11, 2023
@jsmeix
Update 420_login_to_galaxy_and_setup_environment.sh
28125e3 
In verify/GALAXY11/default/420_login_to_galaxy_and_setup_environment.sh
run commands that deal with GALAXY11_PASSWORD
in a confidential way via { confidential_command ; } 2>/dev/null
to not leak the GALAXY11_PASSWORD value into the log file,
cf. #2156
@jsmeix jsmeix mentioned this pull request May 11, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gdha gdha gdha approved these changes

@rmetrich rmetrich Awaiting requested review from rmetrich

Assignees

@jsmeix jsmeix

Labels
critical / security / legal fixed / solved / done
Projects
None yet
Milestone
ReaR v2.6
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jsmeix @gdha