Secure job option with a default value from keystore is overwritten on job run #1966

Closed
pdev77b opened this Issue Jul 26, 2016 · 10 comments

Projects

None yet

4 participants

@pdev77b
pdev77b commented Jul 26, 2016

Using firefox where personal rundeck username/password is saved in autocomplete.
A job with a secure job option obtaining the default value (a password) from the keystore is run, the option text entry box is auto populated with my personal password via firefox autocomplete.
Therefore the job fails, as the wrong password is being sent, but as the password is masked - it is not clear to the user what is being done - this is inadvertantly disclosing the users password to the underlying scripts.
Whilst I could disable firefox autocomplete, other rundeck users may not.

I would like firefox to not populate this box ideally, but as I have a value for the secure job option, I dont actually want to show the input field to a user at all - this doesn't seem possible.

@rundeck-ci-build

What version of rundeck are you using? This may be fixed in the latest code, I think the password fields have been changed to prevent autocomplete, although i have not tested it on Firefox

Greg

On Jul 26, 2016, at 3:50 AM, pdev77b notifications@github.com wrote:

Using firefox where personal rundeck username/password is saved in autocomplete.
A job with a secure job option obtaining the default value (a password) from the keystore is run, the option text entry box is auto populated with my personal password via firefox autocomplete.
Therefore the job fails, as the wrong password is being sent, but as the password is masked - it is not clear to the user what is being done - this is inadvertantly disclosing the users password to the underlying scripts.
Whilst I could disable firefox autocomplete, other rundeck users may not.

I would like firefox to not populate this box ideally, but as I have a value for the secure job option, I dont actually want to show the input field to a user at all - this doesn't seem possible.


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

@pdev77b
pdev77b commented Jul 27, 2016

Hi - its Rundeck 2.6.8-1

@gschueler gschueler added this to the 2.6.9 milestone Aug 2, 2016
@gschueler gschueler self-assigned this Aug 2, 2016
@gschueler gschueler closed this in 5174cd0 Aug 2, 2016
@gschueler gschueler removed the in progress label Aug 2, 2016
@pdev77b
pdev77b commented Aug 17, 2016

Hi

I’ve just downloaded 2.6.9-1 – it doesn’t appear to behave differently in firefox 47.0.1.

eg
[cid:image001.png@01D1F86D.7DE79DF0]

The password that is being auto populated into the ‘SSLpassphrase2’ input box is my rundeck password – not the value from the keystore I have set in the option definition:

[cid:image004.png@01D1F86D.D6E30160]

Ideally, I’d like the option to completely hide the input from the user, but the alternative is that the box is auto populated with masked value from the keystore – its potentially dangerous how it is at the moment, in that my password is being passed to the underlying script without my knowledge.

Happy to test any changes for you

Regards

Paul

From: Greg Schueler [mailto:notifications@github.com]
Sent: 02 August 2016 21:52
To: rundeck/rundeck
Cc: Paul Devaney; Author
Subject: Re: [rundeck/rundeck] Secure job option with a default value from keystore is overwritten on job run (#1966)

Closed #1966#1966 via 5174cd05174cd0.


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHubhttps://github.com/rundeck/rundeck/issues/1966#event-742995472, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ATtCsXvK7gt9Y3CFdztwQVkhCjU6KVxDks5qb63vgaJpZM4JVBUC.


This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com



This message and any attachments are confidential and may contain privileged information.

If you are not the person for whom they are intended please return the email and then delete all material from any computer. You must not use the email or attachments for any purpose, nor disclose its contents to anyone other than the intended recipient.

Any statements made by an individual in this email do not necessarily reflect the views of the Yorkshire Group.


Yorkshire Building Society is a member of the Building Societies Association and is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. We are entered in the Financial Services Register under registration number 106085.

Yorkshire Building Society chooses to introduce its customers to Legal & General for the purposes of advising on and arranging life assurance and investment products bearing Legal & General's name.

Head Office: Yorkshire Building Society, Yorkshire House, Yorkshire Drive, Bradford, BD5 8LJ
Tel: 0345 1 200 100

Calls to 03 numbers are charged at the same standard network rate as 01 or 02 landline numbers, even when calling from a mobile.

Visit Our Website
http://www.ybs.co.uk

References to 'YBS Group' or 'Yorkshire Group' refer to Yorkshire Building Society, the trading names under which it operates (Barnsley Building Society, the Barnsley, Chelsea Building Society, the Chelsea, Norwich & Peterborough Building Society, N&P and Egg) and its subsidiary companies.

All communications with us may be monitored/recorded to improve the quality of our service and for your protection and security.


This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com


@pdev77b
pdev77b commented Aug 17, 2016

To provide further info,

Chrome – doesn’t offer to save your rundeck password – therefore not an issue
IE11 – does save rundeck password, but does not auto populate the default values of jobs as firefox does

Paul

From: Greg Schueler [mailto:notifications@github.com]
Sent: 02 August 2016 21:52
To: rundeck/rundeck
Cc: Paul Devaney; Author
Subject: Re: [rundeck/rundeck] Secure job option with a default value from keystore is overwritten on job run (#1966)

Closed #1966#1966 via 5174cd05174cd0.


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHubhttps://github.com/rundeck/rundeck/issues/1966#event-742995472, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ATtCsXvK7gt9Y3CFdztwQVkhCjU6KVxDks5qb63vgaJpZM4JVBUC.


This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com



This message and any attachments are confidential and may contain privileged information.

If you are not the person for whom they are intended please return the email and then delete all material from any computer. You must not use the email or attachments for any purpose, nor disclose its contents to anyone other than the intended recipient.

Any statements made by an individual in this email do not necessarily reflect the views of the Yorkshire Group.


Yorkshire Building Society is a member of the Building Societies Association and is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. We are entered in the Financial Services Register under registration number 106085.

Yorkshire Building Society chooses to introduce its customers to Legal & General for the purposes of advising on and arranging life assurance and investment products bearing Legal & General's name.

Head Office: Yorkshire Building Society, Yorkshire House, Yorkshire Drive, Bradford, BD5 8LJ
Tel: 0345 1 200 100

Calls to 03 numbers are charged at the same standard network rate as 01 or 02 landline numbers, even when calling from a mobile.

Visit Our Website
http://www.ybs.co.uk

References to 'YBS Group' or 'Yorkshire Group' refer to Yorkshire Building Society, the trading names under which it operates (Barnsley Building Society, the Barnsley, Chelsea Building Society, the Chelsea, Norwich & Peterborough Building Society, N&P and Egg) and its subsidiary companies.

All communications with us may be monitored/recorded to improve the quality of our service and for your protection and security.


This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com


@gschueler
Contributor

ok thanks, I could not see your screenshots, but I will reopen the issue for Firefox specifically: #2015

@pdev77b
pdev77b commented Aug 18, 2016 edited

When I goto run the job - see that the SSLpassphrase2 dialog box is populated with 'something' - this isn't the masked contents of the password I have stored in the key storage, but in fact the autocomplete password of my rundeck login - its firefox thats putting it here (chrome and IE11 dont).
Ideally I want the option to hide this dialog box from the users (as I want to just store a password 'securely' within rundeck and allow users to utilise this password without them knowing it)
But firefox behaviour here is accidentally disclosing a users password - which could be mined by rogue rundeck jobs etc

1

Option Definition within the Job (for info):
2

@mnhan3
mnhan3 commented Nov 4, 2016

Greg,
Can secure option be given a way to not be display in rundeck? I want to use the option in a script and fetch the secure password from the keystore but I don't want it to be overwritten or even have the option displayed. I can't find a way to hide the option.

Thanks,
Michael

@pdev77b
pdev77b commented Nov 4, 2016

Hi,

That’s what I ideally wanted too.
My original post said “I would like firefox to not populate this box ideally, but as I have a value for the secure job option, I dont actually want to show the input field to a user at all - this doesn't seem possible.”
I cant control what browsers my (rundeck) users may use, hence the concern around this ‘feature’ of firefox. An option to hide the input field would be great.

Thanks
Paul

From: mnhan3 [mailto:notifications@github.com]
Sent: 04 November 2016 14:22
To: rundeck/rundeck
Cc: Paul Devaney; Author
Subject: Re: [rundeck/rundeck] Secure job option with a default value from keystore is overwritten on job run (#1966)

Greg,
Can secure option be given a way to not be display in rundeck? I want to use the option in a script and fetch the secure password from the keystore but I don't want it to be overwritten or even have the option displayed. I can't find a way to hide the option.

Thanks,
Michael


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHubhttps://github.com/rundeck/rundeck/issues/1966#issuecomment-258444165, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ATtCsfdhF8dhcLaMU0fwcjSqSOQkWNWcks5q6z-SgaJpZM4JVBUC.


This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com



This message and any attachments are confidential and may contain privileged information.

If you are not the person for whom they are intended please return the email and then delete all material from any computer. You must not use the email or attachments for any purpose, nor disclose its contents to anyone other than the intended recipient.

Any statements made by an individual in this email do not necessarily reflect the views of the Yorkshire Group.


Yorkshire Building Society is a member of the Building Societies Association and is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. We are entered in the Financial Services Register under registration number 106085.

Yorkshire Building Society chooses to introduce its customers to Legal & General for the purposes of advising on and arranging life assurance and investment products bearing Legal & General's name.

Head Office: Yorkshire Building Society, Yorkshire House, Yorkshire Drive, Bradford, BD5 8LJ
Tel: 0345 1 200 100

Calls to 03 numbers are charged at the same standard network rate as 01 or 02 landline numbers, even when calling from a mobile.

Visit Our Website
http://www.ybs.co.uk

References to 'YBS Group' or 'Yorkshire Group' refer to Yorkshire Building Society, the trading names under which it operates (Barnsley Building Society, the Barnsley, Chelsea Building Society, the Chelsea, Norwich & Peterborough Building Society, N&P and Egg) and its subsidiary companies.

All communications with us may be monitored/recorded to improve the quality of our service and for your protection and security.


This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com


@gschueler
Contributor

maybe if there is a secure default, and the Restrict to allowed values is set, then no input field is shown. I think that could work and would allow either way to work, since you could allow any value if you still want the user input

@gschueler
Contributor

I filed this as a new enhancement: #2162

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment