[Bug 1225432] New: [Agama][Milestone8+] iSCSI Discovery Passwords are logged into y2log in plain text
https://bugzilla.suse.com/show_bug.cgi?id=1225432 Bug ID: 1225432 Summary: [Agama][Milestone8+] iSCSI Discovery Passwords are logged into y2log in plain text Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Installation Assignee: yast2-maintainers@suse.de Reporter: locilka@suse.com QA Contact: jsrain@suse.com Target Milestone: --- Found By: --- Blocker: --- Created attachment 875149 --> https://bugzilla.suse.com/attachment.cgi?id=875149&action=edit Snippet of the log When iSCSI Targets are being discovered in Agama, the iSCSI library logs all the details. Sadly, also including passwords. How to reproduce? Easily -> Start Agama Installer -> Go to Storage details -> Click Prepare devices by configuring advanced storage technologies -> Choose iSCSI -> Click Discover iSCSI targets -> Fill-up some users/passwords -> Click Confirm This will be most probably the same in YaST as well because it uses the same library. BTW, there are two entries for user/password, but you can see only the first one in the log. That's most probably because the second one would be used later, if the first one succeeds (not my case). Additionally, even the save_y2logs script does not remove the passwords. maybe because the string in the log this: {"name"=>"discovery.sendtargets.auth.password", "value"=>"and their password", "kind"=>"value", "type"=>1, "comment"=>""} -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1225432 https://bugzilla.suse.com/show_bug.cgi?id=1225432#c1 --- Comment #1 from Lukas Ocilka <locilka@suse.com> --- Created attachment 875150 --> https://bugzilla.suse.com/attachment.cgi?id=875150&action=edit The dialog for searching for iSCSI... -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1225432 https://bugzilla.suse.com/show_bug.cgi?id=1225432#c2 --- Comment #2 from Lukas Ocilka <locilka@suse.com> --- Created attachment 875151 --> https://bugzilla.suse.com/attachment.cgi?id=875151&action=edit YaST logs with more details -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1225432 https://bugzilla.suse.com/show_bug.cgi?id=1225432#c3 --- Comment #3 from Stefan Hundhammer <shundhammer@suse.com> --- This should be as easy as replacing attr_accessor :password with secret_attr :password and adding require "yast2/secret_attributes" class ... include Yast2::SecretAttributes -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1225432 https://bugzilla.suse.com/show_bug.cgi?id=1225432#c4 Knut Alejandro Anderssen González <kanderssen@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kanderssen@suse.com --- Comment #4 from Knut Alejandro Anderssen González <kanderssen@suse.com> --- Have not checked it deeper but.. https://github.com/yast/yast-iscsi-client/blob/920ffae4b15dee0fb5f075d59b6f1... We are logging the raw_data read which includes everything... -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1225432 https://bugzilla.suse.com/show_bug.cgi?id=1225432#c5 --- Comment #5 from Stefan Hundhammer <shundhammer@suse.com> ---
08:56:08 <1> [Ruby] modules/IscsiClientLib.rb(oldConfig):422 Store temporary config #<Y2IscsiClient::Config:0x00007f4a91d6b310 @raw_data=...
09:18:29 <1> [Ruby] modules/IscsiClientLib.rb(oldConfig):422 Store temporary config #<Y2IscsiClient::Config:0x00007f4a91d6b310 @raw_data=...
https://github.com/yast/yast-iscsi-client/blob/master/src/modules/IscsiClien...
Builtins.y2milestone("Store temporary config %1", @config)
Not sure if that log line is ever going to be very helpful to us. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1225432 https://bugzilla.suse.com/show_bug.cgi?id=1225432#c6 --- Comment #6 from Stefan Hundhammer <shundhammer@suse.com> --- This @config is an array of hashes, not a real class, so using 'secret_attr' will not help. It's buried here: https://github.com/yast/yast-iscsi-client/blob/master/src/lib/y2iscsi_client... I suggest to simply remove that y2milestone line (see comment #5). -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1225432 https://bugzilla.suse.com/show_bug.cgi?id=1225432#c7 --- Comment #7 from Stefan Hundhammer <shundhammer@suse.com> --- Fix: https://github.com/yast/yast-iscsi-client/pull/128 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1225432 https://bugzilla.suse.com/show_bug.cgi?id=1225432#c8 Stefan Hundhammer <shundhammer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #8 from Stefan Hundhammer <shundhammer@suse.com> --- The fix will become available with yast2-iscsi-client-5.0.2. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1225432 https://bugzilla.suse.com/show_bug.cgi?id=1225432#c9 --- Comment #9 from Stefan Hundhammer <shundhammer@suse.com> --- SR to OBS openSUSE:Factory: https://build.opensuse.org/request/show/1177328 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1225432 https://bugzilla.suse.com/show_bug.cgi?id=1225432#c10 --- Comment #10 from Stefan Hundhammer <shundhammer@suse.com> --- This also affects yast-iscsi-client as a standalone YaST module as well as using iSCSI during a YaST installation. Backport to SLE-15-SP5: PR: https://github.com/yast/yast-iscsi-client/pull/129 SR to IBS SLE-15-SP5: https://build.suse.de/request/show/332524 Backport to SLE-15-SP6: PR: https://github.com/yast/yast-iscsi-client/pull/130 The SR failed with a HTTP 403 :-( "The target project SUSE:SLE-15-SP6:GA is not accepting requests because: Project is locked." -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1225432 https://bugzilla.suse.com/show_bug.cgi?id=1225432#c11 --- Comment #11 from Maintenance Automation <maint-coord+maintenance-robot@suse.de> --- SUSE-RU-2024:2004-1: An update that has one fix can now be installed. Category: recommended (moderate) Bug References: 1225432 Maintenance Incident: [SUSE:Maintenance:34090](https://smelt.suse.de/incident/34090/) Sources used: openSUSE Leap 15.5 (src): yast2-iscsi-client-4.5.9-150500.3.6.2 Basesystem Module 15-SP5 (src): yast2-iscsi-client-4.5.9-150500.3.6.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1225432 https://bugzilla.suse.com/show_bug.cgi?id=1225432#c14 --- Comment #14 from Maintenance Automation <maint-coord+maintenance-robot@suse.de> --- SUSE-RU-2024:3394-1: An update that has one fix can now be installed. URL: https://www.suse.com/support/update/announcement/2024/suse-ru-20243394-1 Category: recommended (moderate) Bug References: 1225432 Maintenance Incident: [SUSE:Maintenance:35662](https://smelt.suse.de/incident/35662/) Sources used: Basesystem Module 15-SP6 (src): yast2-iscsi-client-4.6.2-150600.3.3.3 openSUSE Leap 15.6 (src): yast2-iscsi-client-4.6.2-150600.3.3.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com