juju-core

--debug dumps sensitive information to terminal

Bug #1289038 reported by Marco Ceppi on 2014-03-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	juju-core	Fix Released	Medium	Andrew Wilkins	juju-core 1.21-beta1

Bug Description

When trying to help users, if any of them runs --debug the first line of the command output is the jenv file which contains sensitive information. This makes it very hard to help users troubleshoot without them leaking their credentials.

Tags:

Related branches

lp:~natefinch/juju-core/053-nolog-jenv

On hold for merging into lp:~go-bot/juju-core/trunk

Juju Engineering: Pending requested 2014-05-28

Curtis Hovey (sinzui) on 2014-03-06

Changed in juju-core:
status:	New → Triaged
importance:	Undecided → High
tags:	added: security
tags:	added: ci

Canonical Juju QA Bot (juju-qa-bot) on 2014-05-12

Changed in juju-core:
importance:	High → Medium

Revision history for this message

Curtis Hovey (sinzui) wrote on 2014-11-07:

I believe this is fixed in 1.21. While comparing a 1.20 and a 1.21 bootstrap I noticed that 1.21 doesn't dump the cloud-init script to stderr. There is no cert or password or access key shown in the 1.21 --debug, but there is in 1.20

Andrew Wilkins (axwalk) on 2014-11-10

Changed in juju-core:
status:	Triaged → Fix Committed
assignee:	nobody → Andrew Wilkins (axwalk)
milestone:	none → 1.21-beta1

Curtis Hovey (sinzui) on 2014-11-10

Changed in juju-core:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.