New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New --expose-secrets option plus SECRET_OUTPUT_DEV #3006
Conversation
In sbin/rear added --expose-secrets option and SECRET_OUTPUT_DEV, see #2967
Added LogSecret function
For a first quick test I added at the beginning of
With that I get:
|
For a test when a secret command succeeded
and
so the LogSecret function returns a non-zero exit code
With that I get
|
Let the LogSecret function return a non-zero exit code when EXPOSE_SECRETS is not set which can be used to log a generic fallback message, see #3006 (comment)
@codefritzel @rear/contributors Nothing is documented yet in "rear help" or "man rear" |
Better readable comment
@codefritzel @rear/contributors After the merge of this one I will replace our current
code with the new
method that is implemented by this pull request |
Use '{ SECRET COMMAND ; } 2>>/dev/$SECRET_OUTPUT_DEV' instead of '{ SECRET COMMAND ; } 2>/dev/null' because '{ ... ; } 2>>/dev/$SECRET_OUTPUT_DEV' makes debugging still possible for the user by calling rear with the '--expose-secrets' option and SECRET_OUTPUT_DEV makes it clear which redirections are explicitly meant to hide secrets to distinguish them from usual unwanted output discard via '2>/dev/null' see #3006 and #2967
Type: Critical Fix / Enhancement
Impact: Critical
Reference to related issue (URL):
Confidential values leaked into log file in debug mode #2967
How was this pull request tested?
Brief description of the changes in this pull request:
In sbin/rear added --expose-secrets option
and SECRET_OUTPUT_DEV