Ironic

IPMI uses temporary password files with no alternative

Bug #2058749 reported by Kaifeng Wang on 2024-03-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Ironic	Fix Released	High	Afonne-CID

Bug Description

Ironic generates a temporary password file for each ipmi operation, which records the plain password in the file, normally it's not an issue since requests like power control completes in a short time, but when the sol console is active, the password file persists on the disk for a long time, this exposes security vulnerability.
The proposed solution is to utilize the -E instead of -f to pass the credential to ipmitool. This security issue is severely alleviated since the environmental variable is limited to the user session of ironic which is typically a non-login user.

Kaifeng Wang (kaifeng) on 2024-03-22

Changed in ironic:
status:	New → Triaged
importance:	Undecided → High

Revision history for this message

Julia Kreger (juliaashleykreger) wrote on 2024-03-29:

I suspect this is a case where a patch would be welcome to change the default mode of operation for that.

But that being said, we're just trading a risk off here.

For example, a restricted file for a service in a container can be harder to get to, but then any administrative user for a conductor could then also pull the environment variables from the system.

The risk fundamentally seems the same, and in either case other users should not be present on the system where a conductor service operates.

Afonne-CID (cidelight) on 2024-04-26

Changed in ironic:
assignee:	nobody → Afonne-CID (cidelight)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-04-26: Fix proposed to ironic (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/ironic/+/917229

Changed in ironic:
status:	Triaged → In Progress

Jay Faulkner (jason-oldos) on 2024-06-26

summary:

- IPMI credential exposure
+ IPMI uses temporary password files with no alternative

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-07-22: Fix merged to ironic (master)

Reviewed: https://review.opendev.org/c/openstack/ironic/+/917229
Committed: https://opendev.org/openstack/ironic/commit/2548f022c511c228250625822dfe9c29425fd6a5
Submitter: "Zuul (22348)"
Branch: master

commit 2548f022c511c228250625822dfe9c29425fd6a5
Author: cid <email address hidden>
Date: Fri Apr 26 11:46:14 2024 +0100

Flexible IPMI credential persistence method configuration

    Instead of only file-based persistence which leaves files
    with credentials on the conductor disk for the duration of
    the session.

    User can now pass ``True`` to the ``store_cred_in_env`` parameter
    which instead stores IPMI password as an environment variable, still
    for the duration of the session, but limiting exposure to just the
    user session of ironic and anyone that has access to it.

Defaults to ``False``.

Closes-Bug: #2058749

Change-Id: Icd91e969e5c58bf42fc50958c3cd1acabd36ccdf

Changed in ironic:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.