yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1465922] Re: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Stanislaw Pitucha <1465922@xxxxxxxxxxxxxxxxxx>
Date: Mon, 04 Jan 2016 04:53:22 -0000
Reply-to: Bug 1465922 <1465922@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

For Bandit I'm marking "Won't fix":
Offending code is:

    LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', {
        'action': action,
        'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])})

There's no indication of what the kwargs are, so without a runtime
integration (tainting) or symbolic execution this is not realistic to
pick up. At the call sites the kwargs are not a literal dict, but rather
values from up the call chain, so not easy to analyse.

It would be great to pick this up, but it's way out of reach for the
engine currently or in reasonable future.

** Changed in: bandit
       Status: New => Won't Fix

** Changed in: bandit
   Importance: Undecided => Wishlist

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1465922

Title:
  Password visible in clear text in keystone.log when user created and
  keystone debug logging is enabled

Status in Bandit:
  Won't Fix
Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) juno series:
  Fix Released
Status in OpenStack Identity (keystone) kilo series:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  grep CLEARTEXTPASSWORD keystone.log

  2015-06-16 06:44:39.770 20986 DEBUG keystone.common.controller [-]
  RBAC: Authorizing identity:create_user(user={u'domain_id': u'default',
  u'password': u'CLEARTEXTPASSWORD', u'enabled': True,
  u'default_project_id': u'0175b43419064ae38c4b74006baaeb8d', u'name':
  u'DermotJ'}) _build_policy_check_credentials /usr/lib/python2.7/site-
  packages/keystone/common/controller.py:57

  Issue code:
  https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L57

      LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', {
          'action': action,
          'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])})

  Shadow the values of sensitive fields like 'password' by some
  meaningless garbled text like "XXXXX" is one way to fix.

  Well, in addition to this, I think we should never pass the 'password'
  with its original value along the code and save it in any persistence,
  instead we should convert it to a strong hash value as early as
  possible. With the help of a good hash system, we never have to need
  the original value of the password, right?

To manage notifications about this bug go to:
https://bugs.launchpad.net/bandit/+bug/1465922/+subscriptions