New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SECURITY: Logging to /tmp/sasl_oauth.log leaks credentials to other accounts #3
Comments
How do you suggest that one would do debug logging then? printf to STDERR won't work since it's loaded by a client?
|
I'd say that debug logging should not be turned on by default, in the first place :-) If one needs the debug output, they should only turn it on manually, for example via an environment variable. (Thinking about it, passing credentials via environment might be a good option that takes storage considerations, such as the use of Even if there should be debug output by default, I don't see that there is, indeed, one file per user, nor that there is a call to |
On Sun, 2016-05-15 at 17:30:44 -0700, Ivan Vučica wrote:
Since the config parsing is already there, it's probably a good idea to
I don't really understand. Storing the token and token_secret in ENV Putting secrets in ENV is not a good idea, people will get sloppy and
It was merely a suggestion of how to solve it. This is not a whitewash, but an statement of facts: This started as a |
While trying to fix this a while ago I couldn't register an XOAUTH app for GMail. Do you know if it's still possible? |
I used this: https://github.com/google/gmail-oauth2-tools/blob/master/python/oauth2.py to produce OAUTH2 tokens. Unfortunately I cannot recall which type of credentials I created on https://console.cloud.google.com/ to use with oauth2.py. I believe it may have been "native client". If my memory serves me well, I used the OAUTH2 tokens with this |
And also, yes, I was originally talking about putting the tokens into environment -- however, you are right, it's a bad idea for the reason you outlined. As a side note, thank you for your work on this. |
On Mon, 2016-09-26 at 09:30:17 -0700, Ivan Vučica wrote:
Thank you for confirming this.
No worries, I'm on parental leave now so finally I've got time ; ) |
On Mon, 2016-09-26 at 09:28:44 -0700, Ivan Vučica wrote:
Thank you for this, I'll try again soon. |
On Mon, 2016-09-26 at 09:28:44 -0700, Ivan Vučica wrote:
I tried it now. I'm pretty sure I've generated them correctly but since Since I have my old credentials left in my And the length makes me guess that OAUTH2 Client secret is I've tried this but it didn't work, can you verify that this is what you I tried the OAUTH2 Access token now as So basically this lib needs to be rewritten for OAUTH2? |
I just used this with the output of I'm assuming that the refresh token could be used to regenerate a new "Access Token" and "OAuth2 argument" every hour? |
I created this small shell-script to update the tokens in #!/bin/sh
CLIENT_ID="..."
CLIENT_SECRET="..."
REFRESH_TOKEN="..."
USER_EMAIL="..."
AT=$(python oauth2.py --user="$USER_EMAIL" --client_id="$CLIENT_ID" --client_secret="$CLIENT_SECRET" --refresh_token="$REFRESH_TOKEN" | head -1 | sed 's/Access Token: //')
OA=$(python oauth2.py --generate_oauth2_string --access_token="$AT" --user="$REFRESH_TOKEN" | tail -1 )
echo | tee ~/.xoauthrc <<EOF
# The last oauth_token output of xoauth.py
token = $AT
# The last oauth_token_secret output of xoauth.py
token_secret = $OA
EOF
chmod 600 ~/.xoauthrc |
Thanks @zmughal! I would have done that as: umask 077
cat > ~/.xoauthrc <<EOF
# The last oauth_token output of xoauth.py
token = $AT
# The last oauth_token_secret output of xoauth.py
token_secret = $OA
EOF to avoid the race condition of it being readable to everyone. |
@ivucica I've decided not to implement logging as configureable. It now uses umask and appends uid to the filename. Since |
Aside from having to store credentials in
${HOME}/.xoauthrc
which the documentation does not recommend to be secured (for example, viachmod 0600 "${HOME}"/.xoauthrc
), the default implementation also prints everything out intodebugfp
at/tmp/sasl_oauth.log
. This file is not secured in any way.Among information printed into this debug log is the access token and the authentication string.
If this sasl2 plugin is deployed on a multitenant system, where every user and service has access to
/tmp
, this leaks sufficient information for unexpected users and services to access current user's email account.While one option might be securing the log file (perhaps by storing it somewhere in
${HOME}
andchmod
ing it), the correct behavior is actually not to usedebugfp
at all.The text was updated successfully, but these errors were encountered: