Juju Charms Collection
suitecrm package

bash set -x leaks secrets in juju debug-log

Bug #1499469 reported by Kevin W Monroe
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
suitecrm (Juju Charms Collection)
Fix Committed
Undecided
Joe Liau

Bug Description

"set -ex" is set for both the database-relation-changed and config-changed hooks. If I run 'juju debug-log -i suitecrm/0' while either of these hooks fires, I see the following:

...
INFO unit.suitecrm/0.database-relation-changed logger.go:40 + admin_password='thisisaTEST!'
INFO unit.suitecrm/0.database-relation-changed logger.go:40 + mysql --user=weibiequohvupah --password=moophohveigusie -h 172.31.62.153 suitecrm -e 'UPDATE users SET user_hash = '\''$1$gzaxfaN8$XreELzR7lBk.bJndeNIiT0'\'' WHERE user_name = '\''Admin'\'';'
...
INFO unit.suitecrm/0.config-changed logger.go:40 + admin_password='thisisaTEST!'
INFO unit.suitecrm/0.config-changed logger.go:40 + mysql --user=weibiequohvupah --password=moophohveigusie -h 172.31.62.153 suitecrm -e 'UPDATE users SET user_hash = '\''$1$SmxmsvyH$jWfrErljxHhH6JVhEdE7G/'\'' WHERE user_name = '\''Admin'\'';'
...

This may be fine for debugging or deploying in trusted environments, but you may want to consider keeping these secrets out of the log. To do this, I suggest either changing "set -ex" to "set -e" in the offending hooks, or wrap the blocks that use passwords with a "set +x <code> set -x", for example:

=== modified file 'hooks/database-relation-changed'
--- hooks/database-relation-changed 2015-08-25 07:09:54 +0000
+++ hooks/database-relation-changed 2015-09-24 17:16:16 +0000
@@ -6,11 +6,13 @@

 juju-log "${JUJU_UNIT_NAME} database relation changed starting."

+set +x
 db_user=`relation-get user`
 db_name=`relation-get database`
 db_pass=`relation-get password`
 db_host=`relation-get private-address`
 db_port="3306"
+set -x

 if [ -z "${db_name}" ]; then
   juju-log "The database information is not complete, silently exiting."
@@ -36,6 +38,7 @@
   table_name="juju"

   create_table="create table ${table_name} (dbloaded int DEFAULT 1) engine InnoDB;"
+ set +x
   if mysql --user=${db_user} --password=${db_pass} -h ${db_host} ${db_name} -e "${create_table}"; then
     juju-log "The table ${table_name} did not exist, load the mysql data."

@@ -44,6 +47,7 @@
   else
     juju-log "The table ${table_name} already exists in ${db_name}."
   fi
+ set -x

   # Move the database file so the load only happens one time.
   mv ${database_file} ${database_file}.loaded

Kevin W Monroe (kwmonroe)
Changed in suitecrm (Juju Charms Collection):
assignee: nobody → Joe Liau (joe)
Joe Liau (joe)
Changed in suitecrm (Juju Charms Collection):
status: New → Fix Committed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.