-
-
Notifications
You must be signed in to change notification settings - Fork 12.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NixOS modules: Secrets provided in arguments are exposed to unprivileged users #156400
Comments
This issue has been mentioned on NixOS Discourse. There might be relevant details there: |
Ah, sorry @jtojnar, I must have misread that, infinoted is clearly using a heredoc as well. |
Hi @TLATER i took a look at |
Yeah, it certainly not the greatest idea to hot wire processes with secrets injected into Environment Variables. However, a work around would be to limit normal users from actually seeing other users processes at all. https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ Unfortunately You'll find many upstream projects think it's okay to pass sensitive stuff on the command line. |
Another way to perform this operation securely is to use |
@nixinator yes, those are good points, and partially why I hesitated raising this. Still, most users run their systems without any hardening (hard to know what might be a good idea), and a lot of projects are sympathetic to this problem. I'm more concerned that NixOS modules are lulling users into a false sense of security through the existence of The latter should clearly be fixed, and the former probably warrants further discussion. At least this problem should be more common knowledge in the community than it currently appears to be. |
Is this an issue when using
Does the act of just setting the secret variable reveal what it is? Or is only revealed when used in command line? |
No, since Note that this isn't true for all shells. busybox' ash for example implements This does also mean it's not a shell-exclusive issue though, secrets are also revealed when passed as variables to For reference, when exporting secrets in an interactive shell (i.e., by typing it manually into a terminal), those are logged to the user's bash history, which might also not be intended. This isn't an issue for the non-interactive shells this issue is about, though. |
This issue has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/agenix-encrypted-plaintext-passwords-and-builtins-readfile/18425/3 |
...by using `replace-secret` instead of `sed` when injecting the password into the ddclient config file. (Verified with `execsnoop`.) Ref #156400.
Closed by accident, reopening now. |
The current authentication code is broken against newer jenkins: jenkins-job-builder-start[1257]: Asking Jenkins to reload config jenkins-start[789]: 2022-07-12 14:34:31.148+0000 [id=17] WARNING hudson.security.csrf.CrumbFilter#doFilter: Found invalid crumb 31e96e52938b51f099a61df9505a4427cb9dca7e35192216755659032a4151df. If you are calling this URL with a script, please use the API Token instead. More information: https://www.jenkins.io/redirect/crumb-cannot-be-used-for-script jenkins-start[789]: 2022-07-12 14:34:31.160+0000 [id=17] WARNING hudson.security.csrf.CrumbFilter#doFilter: No valid crumb was included in request for /reload by admin. Returning 403. jenkins-job-builder-start[1357]: curl: (22) The requested URL returned error: 403 Fix it by using `jenkins-cli` instead of messing with `curl`. This rewrite also prevents leaking the password in process listings. (We could probably do it without `replace-secret`, assuming `printf` is a shell built-in, but this implementation should be safe even with shells not having a built-in `printf`.) Ref NixOS#156400.
The current authentication code is broken against newer jenkins: jenkins-job-builder-start[1257]: Asking Jenkins to reload config jenkins-start[789]: 2022-07-12 14:34:31.148+0000 [id=17] WARNING hudson.security.csrf.CrumbFilter#doFilter: Found invalid crumb 31e96e52938b51f099a61df9505a4427cb9dca7e35192216755659032a4151df. If you are calling this URL with a script, please use the API Token instead. More information: https://www.jenkins.io/redirect/crumb-cannot-be-used-for-script jenkins-start[789]: 2022-07-12 14:34:31.160+0000 [id=17] WARNING hudson.security.csrf.CrumbFilter#doFilter: No valid crumb was included in request for /reload by admin. Returning 403. jenkins-job-builder-start[1357]: curl: (22) The requested URL returned error: 403 Fix it by using `jenkins-cli` instead of messing with `curl`. This rewrite also prevents leaking the password in process listings. (We could probably do it without `replace-secret`, assuming `printf` is a shell built-in, but this implementation should be safe even with shells not having a built-in `printf`.) Ref #156400.
The current authentication code is broken against newer jenkins: jenkins-job-builder-start[1257]: Asking Jenkins to reload config jenkins-start[789]: 2022-07-12 14:34:31.148+0000 [id=17] WARNING hudson.security.csrf.CrumbFilter#doFilter: Found invalid crumb 31e96e52938b51f099a61df9505a4427cb9dca7e35192216755659032a4151df. If you are calling this URL with a script, please use the API Token instead. More information: https://www.jenkins.io/redirect/crumb-cannot-be-used-for-script jenkins-start[789]: 2022-07-12 14:34:31.160+0000 [id=17] WARNING hudson.security.csrf.CrumbFilter#doFilter: No valid crumb was included in request for /reload by admin. Returning 403. jenkins-job-builder-start[1357]: curl: (22) The requested URL returned error: 403 Fix it by using `jenkins-cli` instead of messing with `curl`. This rewrite also prevents leaking the password in process listings. (We could probably do it without `replace-secret`, assuming `printf` is a shell built-in, but this implementation should be safe even with shells not having a built-in `printf`.) Ref #156400. (cherry picked from commit 7a01213)
The current authentication code is broken against newer jenkins: jenkins-job-builder-start[1257]: Asking Jenkins to reload config jenkins-start[789]: 2022-07-12 14:34:31.148+0000 [id=17] WARNING hudson.security.csrf.CrumbFilter#doFilter: Found invalid crumb 31e96e52938b51f099a61df9505a4427cb9dca7e35192216755659032a4151df. If you are calling this URL with a script, please use the API Token instead. More information: https://www.jenkins.io/redirect/crumb-cannot-be-used-for-script jenkins-start[789]: 2022-07-12 14:34:31.160+0000 [id=17] WARNING hudson.security.csrf.CrumbFilter#doFilter: No valid crumb was included in request for /reload by admin. Returning 403. jenkins-job-builder-start[1357]: curl: (22) The requested URL returned error: 403 Fix it by using `jenkins-cli` instead of messing with `curl`. This rewrite also prevents leaking the password in process listings. (We could probably do it without `replace-secret`, assuming `printf` is a shell built-in, but this implementation should be safe even with shells not having a built-in `printf`.) Ref #156400. (cherry picked from commit 7a01213)
This issue has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/set-password-for-a-postgresql-user-from-a-file-agenix/41377/5 |
Describe the bug
When specifying secrets via arguments, they will be exposed via
/proc/<pid>/cmdline
- this is also possible if passed indirectly via an environment variable, since the shell resolves the value. This can be trivially demonstrated like so:Some modules seem to use shell scripts to feed values provided via
passwordFile
or similar to their applications at runtime (with constructs likeSECRETKEY="$(head -n1 ${secretKey})"
). Often, these are then fed tosed
to replace values in template files, or passed to--password
arguments (which are often, but not always, arguably an upstream problem).I'm not sure how widespread exactly this is, some way to search for occurrences of this would be nice. It's difficult because not all secrets are named
passwordFile
and there would be a lot of false positives if we simply pinged all modules that have such options. It's also hard to tell when this needs an upstream fix, but at least I'd arguepasswordFile
args should not be created for modules that cannot keep the secrets from being world-readable outside the nix store either.I'd like to point out replace-secret, which essentially exists to do this without leaking secrets.
For now, I believe at least these modules to do such things in 21.11 - I did not check if upstream have a better way of supplying secrets where applicable:
nixos/modules/services/misc/gitea.nix
(@srhb @Ma27) - nixos/gitea: Prevent secrets from being exposed at ExecStart time #156401nixos/modules/services/web-servers/ttyd.nix
(@nagy @atopuzov) - Allow specifying HTTP basic auth credentials from a file tsl0922/ttyd#872nixos/modules/services/networking/hans.nix
nixos/modules/services/networking/ddclient.nix
(@felschr) - nixos/ddclient: don't leak password in process listings #181197nixos/modules/services/web-apps/photoprism.nix
Config: Read secrets from file photoprism/photoprism#2302There are also some modules that use bash heredocs and
printf
(notably,nixos/modules/config/ldap.nix
), which I believe are safe, but could probably do with some comments to point this out.I guess it will be fairly common though, since the requirement of passing secrets via files is somewhat more pronounced in NixOS, not always considered by upstreams, and leaking secrets via
ps
is an easy thing to overlook. Maybe we should consider some kind of support inlib
for supplying secrets to applications to avoid things like this (and get more use out of systemd, which has some nice secret-passing functionality).The text was updated successfully, but these errors were encountered: