Randomly-set credentials not available within the instance
Bug #1921124 reported by
Dan Watkins
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| cloud-init |
Expired
|
Undecided
|
Dan Watkins | ||
Bug Description
As part of the fix for bug 1918303 in [0], we stopped emitting randomly-generated passwords to /var/log/
We should reintroduce saving these passwords somewhere in the instance, securely, so that these use cases are not regressed.
[0] https:/
| Changed in cloud-init: | |
| assignee: | nobody → Dan Watkins (oddbloke) |
| status: | New → In Progress |
Revision history for this message
| Dan Watkins (oddbloke) wrote | #1 |
Revision history for this message
| James Falcon (falcojr) wrote | #2 |
| Changed in cloud-init: | |
| status: | In Progress → Expired |
To post a comment you must log in.
To ensure these are secure, they should be written to an only-readable-
In terms of path, /run/cloud-init seems like a sensible place to put these. In security terms, it's good: the passwords will only be available until the instances is first rebooted, as /run is a tmpfs. However, if folks use cc_power_state to reboot a machine, for example, they'll never be able to read the file before it's wiped out.
Writing to /var/lib/cloud/data seems possible, but that directory isn't cleaned up by cloud-init if the filesystem performs another first boot (i.e. is captured as an image and launched). This means that such an image would contain users with passwords stored in the filesystem. I don't think this is a problem for the new instance per se: you would need root permissions to read the passwords anyway, so you can't gain further access using them. However, I think it presents a problem for _other_ instances launched from such an image: anyone with root on one such instance therefore has passwords that could grant them access to other instances. (Such access could be privileged if `root` has a random password generated by cloud-init, or any of the other users have sudo permissions.)
/var/lib/
Given all this, I'm leaning towards using a path in /run. Randomly-generated passwords will therefore be readable for the duration of an instance's first boot, and will disappear when that instance is next shut down. This means they will not leak into subsequent boots, or into images captured from such instances.
Any users for whom this causes a problem can work around it in their cloud-config (e.g. by doing a `cp` in a `runcmd`). This gives us secure default behaviour, and means that users have to explicitly opt for less secure behaviour.