-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: local keystore passwords appear in the process table #9957
Comments
These are the passwords generated at pod startup and used for the PKCS12 stores used by the ZooKeeper / Kafka. They will be also stored in their configuration files. Plus the original PEM files are mounted from the secrets next to them. So I do not think these passwords really leak anything secret that you cannot otherwise obtain. |
for example a pod running as user nobody on the node, and started with hostPID=true (such as a node exporter pod for example) would be able to see the password when running a ps a the right time. It does not have access to the configuration files or PEM files or secret or mounts from strimzi pods, but it can obtain the secret from the process table. |
Sure. But the passwords are generated at the container startup and used for the PKCS12 files generated in the container. So you need to access the PKCS12 files in the container to use the passwords and if you can do that, you have the password anyway in the config file next to it. I do not have a problem if anyone wants to improve this. But want to make it more clear what these passwords are. |
Discussed on the community call on 18.4.: As explained above, this is not a real security issue. But would be nice to have it fixed. @freedge do you plan to contribute this? Or can someone else look into it? |
hi, not really. (I made a list of findings and this one is at the bottom since it's not really an issue). Also it's not super trivial, in addition to fixing a bunch of scripts, strimzi-kafka-operator/kafka-agent/src/main/java/io/strimzi/kafka/agent/KafkaAgent.java Line 452 in 51442a7
|
Bug Description
on clusters running kafka deployments deployed with strimzi-operator, we find various processes called with a password as argument. The password appears in the process table and is recorded by auditing tools
Steps to reproduce
Expected behavior
no password appearing on the command line
Strimzi version
strimzi-cluster-operator.v0.40.0
Kubernetes version
OpenShift 4.14
Installation method
from community operators
Infrastructure
Bare-metal
Configuration files and logs
No response
Additional context
example of code passing a password as argument to a process:
strimzi-kafka-operator/topic-operator/scripts/tls_prepare_certificates.sh
Line 19 in 4e8f6e4
processes found by stackrox:
The text was updated successfully, but these errors were encountered: