[yast-devel] YaST logs permissions
Hi! Recently, we have been asked to change the save_y2logs generated file permissions[1] because it's only readable by root, which causes troubles[2] when trying to upload it elsewhere as a common user. However, this is not possible because generated logs contain sensitive information like configuration of services, the content of the journal, or firewall configuration. Adding a short explanation in the command output about the need to adjust the permissions when you are going to upload the file could help the user to understand what's going on, but seems to not be enough. The user should also be aware that logs might contain sensitive data and keep them safe. How do you think we could improve that situation? Regards. [1] https://github.com/yast/yast-yast2/issues/978 [2] https://en.opensuse.org/openSUSE:Report_a_YaST_bug#Firefox_fails_to_attach_t... -- David Díaz González YaST Team at SUSE Linux GmbH
On Thu, 6 Feb 2020 15:49:02 +0000 David Díaz <dgonzalez@suse.de> wrote:
Hi!
Recently, we have been asked to change the save_y2logs generated file permissions[1] because it's only readable by root, which causes troubles[2] when trying to upload it elsewhere as a common user.
However, this is not possible because generated logs contain sensitive information like configuration of services, the content of the journal, or firewall configuration.
Adding a short explanation in the command output about the need to adjust the permissions when you are going to upload the file could help the user to understand what's going on, but seems to not be enough. The user should also be aware that logs might contain sensitive data and keep them safe.
How do you think we could improve that situation?
Hi, we need for sure discuss it with security team where are experts for this topic. Also we should maybe somehow mention that when Y2DEBUG is set to 1, then it logs everything including passwords as it logs also on UI layer ( by default not enabled ). Also what needs to be taken in consideration is that y2logs is always on system after each installation, so it for sure have not be readable outside of root as it can mean that you can access information about configuration on each machine. When user uploading logs it is a bit different because it is expected that it will be visible and in such case user is aware of it. Some users even manually pick what is in logs or clear logs before reproduce issue so it is really minimal. So save_y2logs have to be also run as root, but maybe what we can do there is add ability to pass user and chown tarball after calling. So something like `save_y2logs --user jreidinger` and resulting tarball will be readable by that user which looks like good compromise. and print warning if it is called without user specified. Josef
Regards.
[1] https://github.com/yast/yast-yast2/issues/978
[2] https://en.opensuse.org/openSUSE:Report_a_YaST_bug#Firefox_fails_to_attach_t...
-- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org To contact the owner, e-mail: yast-devel+owner@opensuse.org
On Thu, 6 Feb 2020, Josef Reidinger wrote:
clear logs before reproduce issue so it is really minimal. So save_y2logs have to be also run as root, but maybe what we can do there is add ability to pass user and chown tarball after calling. So something like `save_y2logs --user jreidinger` and resulting tarball will be readable by that user which looks like good compromise. and print warning if it is called without user specified.
That doesn't make much of a difference compared to having the log world-readable. There's a logical contradiction in keeping the logs secret and at the same time asking the user to make it publicly available. Keeping the restrictive permissions and presenting a brief text to the user exlaining things might be our best bet. Steffen -- Give orange me give eat orange me eat orange give me eat orange give me you. (chimp Nim, using sign language) -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org To contact the owner, e-mail: yast-devel+owner@opensuse.org
Dne 07. 02. 20 v 13:19 Steffen Winterfeldt napsal(a):
On Thu, 6 Feb 2020, Josef Reidinger wrote:
clear logs before reproduce issue so it is really minimal. So save_y2logs have to be also run as root, but maybe what we can do there is add ability to pass user and chown tarball after calling. So something like `save_y2logs --user jreidinger` and resulting tarball will be readable by that user which looks like good compromise. and print warning if it is called without user specified.
That doesn't make much of a difference compared to having the log world-readable.
I think it is still better to limit the access to just one person than having it world readable. Unfortunately we cannot implement something like "make it readable for me if I want to attach it to bugzilla". We do not know what the user will do with the file or how long it will be kept in the system. And in this case it is better to be safe than sorry.
There's a logical contradiction in keeping the logs secret and at the same time asking the user to make it publicly available.
Because we do not know what will happen with the file later we stay on the safe side.
Keeping the restrictive permissions and presenting a brief text to the user exlaining things might be our best bet.
Yes, we probably cannot do much regarding this. But I like the Josef's "--user" idea, that could help a bit I think... -- Ladislav Slezák YaST Developer SUSE LINUX, s.r.o. Corso IIa Křižíkova 148/34 18600 Praha 8 -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org To contact the owner, e-mail: yast-devel+owner@opensuse.org
Dne 06. 02. 20 v 19:46 Josef Reidinger napsal(a):
Hi, we need for sure discuss it with security team where are experts for this topic. Also we should maybe somehow mention that when Y2DEBUG is set to 1, then it logs everything including passwords as it logs also on UI layer ( by default not enabled ).
Maybe save_y2logs could grep the logs for "<0>" and print a warning in that case. But I'm not sure if that would slow-down saving the logs, there might be plenty of /var/log/YaST2/y2log-*.gz files and that could take some time... [...]
ability to pass user and chown tarball after calling. So something like `save_y2logs --user jreidinger` and resulting tarball will be readable by that user which looks like good compromise. and print warning if it is called without user specified.
Yes, I was just about to propose something like that. Just keep in mind that this will not help during installation, there is only the "root" user (besides some special system accounts). You need to solve that manually depending on how you get the logs out of the system. -- Ladislav Slezák YaST Developer SUSE LINUX, s.r.o. Corso IIa Křižíkova 148/34 18600 Praha 8 -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org To contact the owner, e-mail: yast-devel+owner@opensuse.org
On 2020-02-07 15:50, Ladislav Slezak wrote:
Dne 06. 02. 20 v 19:46 Josef Reidinger napsal(a):
Hi, we need for sure discuss it with security team where are experts for this topic. Also we should maybe somehow mention that when Y2DEBUG is set to 1, then it logs everything including passwords as it logs also on UI layer ( by default not enabled ).
Maybe save_y2logs could grep the logs for "<0>" and print a warning in that case. But I'm not sure if that would slow-down saving the logs, there might be plenty of /var/log/YaST2/y2log-*.gz files and that could take some time...
First please somebody bring any shred of evidence that this actually happens. I think that this is just plain misinformation. Kind regards -- Stefan Hundhammer <shundhammer@suse.de> YaST Developer SUSE Linux GmbH GF: Felix Imendörffer, Jane Smithard, Graham Norton; HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org To contact the owner, e-mail: yast-devel+owner@opensuse.org
On 2020-02-06 19:46, Josef Reidinger wrote:
Also we should maybe somehow mention that when Y2DEBUG is set to 1, then it logs everything including passwords as it logs also on UI layer ( by default not enabled ).
Is this true and tested and confirmed, or is this an urban legend in the making? Careful what information we are spreading; some people might mistake such a wild guess for serious information. I am pretty sure that the UI does NOT log any passwords. Never ever. The code doesn't any CONTAIN any yuiDebug() call, let alone leaking any confidential information, much less passwords or even single keystrokes. https://github.com/libyui/libyui/blob/master/src/YInputField.cc https://github.com/libyui/libyui-qt/blob/master/src/YQInputField.cc https://github.com/libyui/libyui-ncurses/blob/master/src/NCInputField.cc I also took great care to explicitly NOT log any passwords in the macro that we write during installation. So, where did you see any password information leaked by the UI? I am very sure that this does not happen. If any other YaST component logs large hashes that may also contain passwords, that's another matter; but in that case, this is where we need to fix things. Kind regards -- Stefan Hundhammer <shundhammer@suse.de> YaST Developer SUSE Linux GmbH GF: Felix Imendörffer, Jane Smithard, Graham Norton; HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org To contact the owner, e-mail: yast-devel+owner@opensuse.org
V Mon, 10 Feb 2020 10:12:27 +0100 Stefan Hundhammer <shundhammer@suse.de> napsáno:
On 2020-02-06 19:46, Josef Reidinger wrote:
Also we should maybe somehow mention that when Y2DEBUG is set to 1, then it logs everything including passwords as it logs also on UI layer ( by default not enabled ).
Is this true and tested and confirmed, or is this an urban legend in the making?
Careful what information we are spreading; some people might mistake such a wild guess for serious information. I am pretty sure that the UI does NOT log any passwords. Never ever. The code doesn't any CONTAIN any yuiDebug() call, let alone leaking any confidential information, much less passwords or even single keystrokes.
https://github.com/libyui/libyui/blob/master/src/YInputField.cc https://github.com/libyui/libyui-qt/blob/master/src/YQInputField.cc https://github.com/libyui/libyui-ncurses/blob/master/src/NCInputField.cc
I also took great care to explicitly NOT log any passwords in the macro that we write during installation.
So, where did you see any password information leaked by the UI? I am very sure that this does not happen.
If any other YaST component logs large hashes that may also contain passwords, that's another matter; but in that case, this is where we need to fix things.
Kind regards
Well, issue is that we log values for our UI terms (not in libyui, but when we construct values). So if you have e.g. password for your ftp server ( lets say ftp://user:password@myftp.com ) and you open dialog that allows edit this source e.g. packager if you use it for you repos, then you see in logs something like: 2020-02-10 11:52:09 <0> linux-vvcf.privatesite(12906) [ui] YUINamespace.cc(createFunctionCall):1035 overloaded ReplaceWidget, 2@24 2020-02-10 11:52:09 <0> linux-vvcf.privatesite(12906) [Ruby] binary/Yast.cc(ycp_module_call_ycp_function):326 Call ReplaceWidget 2020-02-10 11:52:09 <0> linux-vvcf.privatesite(12906) [Ruby] binary/Yast.cc(ycp_module_call_ycp_function):332 Append parameter `_cwm_tab_contents_rp 2020-02-10 11:52:09 <0> linux-vvcf.privatesite(12906) [Ruby] binary/Yast.cc(ycp_module_call_ycp_function):332 Append parameter `VBox (`Table (`id ("Y2Network::Widgets::InterfacesTable"), `opt (`notify, `immediate), `header ("Název", "IP adresa", "Zařízení", "Poznámka"), [`item (`id ("wlan1"), "QCA6174 802.11ac Wireless Network Adapter", "DHCP", "wlan1", ""), `item (`id ("eth0"), "NetLink BCM57780 Gigabit Ethernet PCIe", "DHCP", "eth0", ""), `item (`id ("wlan0"), "RTL8188EUS 802.11n Wireless Network Adapter", "DHCP", "wlan0", "")]), `RichText (`id ("Y2Network::Widgets::InterfaceDescription"), `opt (), ""), `Left (`HBox (`PushButton (`id ("Y2Network::Widgets::AddInterface"), `opt (), "Přid&at"), `PushButton (`id ("Y2Network::Widgets::EditInterface"), `opt (), "Uprav&it"), `PushButton (`id ("Y2Network::Widgets::DeleteInterface"), `opt (), "Smaza&t")))) and in this part you see that initial values which can contain passwords. So it is not that we log what user type, but we log it when we display it. Josef -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org To contact the owner, e-mail: yast-devel+owner@opensuse.org
On 2020-02-10 11:57, Josef Reidinger wrote:
Well, issue is that we log values for our UI terms (not in libyui, but when we construct values). So if you have e.g. password for your ftp server ( lets say ftp://user:password@myftp.com ) and you open dialog that allows edit this source e.g. packager if you use it for you repos, then you see in logs something like:
Then the bug is that those terms are logged. Since that logging is only ever useful when somebody is debugging the very low-level functions deep down, this should be ifdef'ed out by default. It's not as if any of us would EVER make use of that level of logging. If you want to see the widget tree, you can simply use UI.DumpWidgetTree() which does not leak any details that may be confidential like passwords; or use the YDialogSpy (Ctrl-Shift-Alt-Y). But we really shouldn't make life harder for us and for our users by potentially leaking confidential information and then trying to disguise that problem by y2log tarball permissions and disclaimers and whatnot. We need the y2logs for debugging and bug fixing. We need our users to be able to trust us with that. So we need to take the utmost care to NOT leak any confidential information. So please let's get rid of such logging leaks. The same is true, of course, for places where we dump complete data structures to the log that may also contain passwords. We may need special log functions in some places to replace such information with something neutral like "<password not logged>"; this is also important to build trust with our users. Kind regards -- Stefan Hundhammer <shundhammer@suse.de> YaST Developer SUSE Linux GmbH GF: Felix Imendörffer, Jane Smithard, Graham Norton; HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org To contact the owner, e-mail: yast-devel+owner@opensuse.org
participants (5)
-
David Díaz -
Josef Reidinger -
Ladislav Slezak -
Stefan Hundhammer -
Steffen Winterfeldt