highstate.cache is world readable, and contains secrets #28455
Comments
|
I'm not sure what's different, but I checked this out because I was concerned about this, and the cache on all of the minions I have (2015.8.1 and some older 2015.5.3 minions) are 0600. Also, is the password hash exactly a secret on the node that it's being installed on? |
|
Hi @zmalone. I can only reproduce this (thus far) with |
|
I can confirm that I'm using state.sls. I'm attempting to test with highstates now, but it sounds as though that code path does not have this issue. I've worked around it for now with: but it will probably effect a lot of people who run state.sls. |
|
I already have a fix in for state.sls over in #28461. I'll review the rest of state.py right now to ensure there aren't any other mistakes of this nature. Thanks for bringing this one to our attention. Much appreciated. |
|
I've confirmed that I do not see this with state.highstate. |
|
@zmalone I can also confirm that. I believe this problem to be isolated to state.sls and fixed by the PR linked above. |
basepi
added
Bug
|
This fix has been merged. I'm going to go ahead close this unless there is additional work to be done here. |
|
@zmalone The CVE for this fix is being announced today. In the future, please send security concerns to security@saltstack.com as instructed in our security disclosure documentation: https://docs.saltstack.com/en/latest/security/index.html |
Secrets get dumped in highstate.cache.p, which is world readable. It looks like this has been fixed before, so this is probably a regression. See #6764 for a past instance of this.
This also appears in 2015.8.1:
The text was updated successfully, but these errors were encountered: