bash set -x leaks secrets in juju debug-log
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
suitecrm (Juju Charms Collection) |
Fix Committed
|
Undecided
|
Joe Liau |
Bug Description
"set -ex" is set for both the database-
...
INFO unit.suitecrm/
INFO unit.suitecrm/
...
INFO unit.suitecrm/
INFO unit.suitecrm/
...
This may be fine for debugging or deploying in trusted environments, but you may want to consider keeping these secrets out of the log. To do this, I suggest either changing "set -ex" to "set -e" in the offending hooks, or wrap the blocks that use passwords with a "set +x <code> set -x", for example:
=== modified file 'hooks/
--- hooks/database-
+++ hooks/database-
@@ -6,11 +6,13 @@
juju-log "${JUJU_UNIT_NAME} database relation changed starting."
+set +x
db_user=
db_name=
db_pass=
db_host=
db_port="3306"
+set -x
if [ -z "${db_name}" ]; then
juju-log "The database information is not complete, silently exiting."
@@ -36,6 +38,7 @@
table_
create_
+ set +x
if mysql --user=${db_user} --password=
juju-log "The table ${table_name} did not exist, load the mysql data."
@@ -44,6 +47,7 @@
else
juju-log "The table ${table_name} already exists in ${db_name}."
fi
+ set -x
# Move the database file so the load only happens one time.
mv ${database_file} ${database_
Changed in suitecrm (Juju Charms Collection): | |
assignee: | nobody → Joe Liau (joe) |
Changed in suitecrm (Juju Charms Collection): | |
status: | New → Fix Committed |