pyjuju

example passes passwords via command line arguments

Bug #998153 reported by Ansgar Burchardt on 2012-05-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	pyjuju	Triaged	Low	Unassigned

Bug Description

The example charm on https://juju.ubuntu.com/docs/write-charm.html passes passwords via command line arguments which potentially allows local users to see them.

Some charms seem to do so as well, for example the one for mediawiki does in [1].

[1] https://bazaar.launchpad.net/~charmers/charms/precise/mediawiki/trunk/view/head:/hooks/config-changed

Revision history for this message

Clint Byrum (clint-fewbar) wrote on 2012-05-11:

Hi Ansgar!

I'm not so sure this is all that much of a concern in the target for these particular charms. They are both meant as automated targets to single use machines in the cloud, not things you would run on multi-user or multi-purpose hosts.

That doesn't mean its a good idea, we still should be mindful of use cases that we're not considering, but I think that mitigates the problem quite a bit.

Clint Byrum (clint-fewbar) on 2012-10-23

Changed in juju:
status:	New → Triaged
importance:	Undecided → Low

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.