--debug dumps sensitive information to terminal

Bug #1289038 reported by Marco Ceppi on 2014-03-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
juju-core
Medium
Andrew Wilkins

Bug Description

When trying to help users, if any of them runs --debug the first line of the command output is the jenv file which contains sensitive information. This makes it very hard to help users troubleshoot without them leaking their credentials.

Related branches

Curtis Hovey (sinzui) on 2014-03-06
Changed in juju-core:
status: New → Triaged
importance: Undecided → High
tags: added: security
tags: added: ci
Changed in juju-core:
importance: High → Medium
Curtis Hovey (sinzui) wrote :

I believe this is fixed in 1.21. While comparing a 1.20 and a 1.21 bootstrap I noticed that 1.21 doesn't dump the cloud-init script to stderr. There is no cert or password or access key shown in the 1.21 --debug, but there is in 1.20

Andrew Wilkins (axwalk) on 2014-11-10
Changed in juju-core:
status: Triaged → Fix Committed
assignee: nobody → Andrew Wilkins (axwalk)
milestone: none → 1.21-beta1
Curtis Hovey (sinzui) on 2014-11-10
Changed in juju-core:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers