[Bug 2085607] Re: [sru] Obfuscation issues in sosreport sos 4.7.2
Arif Ali
2085607 at bugs.launchpad.net
Tue Dec 3 20:25:02 UTC 2024
oracular verification tests
copied a set of files from an openstack build with similar parameters
root at oracular-openstack:~# sos report -o openstack_heat,openstack_placement,mysql --batch --build
<snip>
Setting up archive ...
Setting up plugins ...
Running plugins. Please wait ...
Starting 1/3 mysql [Running: mysql]
Starting 2/3 openstack_heat [Running: mysql openstack_heat]
Starting 3/3 openstack_placement [Running: mysql openstack_heat openstack_placement]
Finishing plugins [Running: mysql openstack_heat]
Finishing plugins [Running: mysql]
Finished running plugins
Your sos report build tree has been generated in:
/tmp/sosreport-oracular-openstack-2024-12-03-qmzqdpo
root at oracular-openstack:~# sudo grep auth_encryption_key /tmp/sosreport-oracular-openstack-2024-12-03-qmzqdpo/etc/heat/heat.conf
auth_encryption_key = pB7S4RsGZmMSCdRFZgrhcqKn25jF4mLx
root at oracular-openstack:~# grep -E "NOVA_API_PASS|PLACEMENT_PASS" /tmp/sosreport-oracular-openstack-2024-12-03-qmzqdpo/etc/placement/migrate-db.rc
NOVA_API_PASS="255qjcbpM9tsYHcXTmX5RVSMKScp4CPS"
PLACEMENT_PASS="VXfhZgWXMqk7g5NyNnZNRtww8w5y2Frd"
root at oracular-openstack:~# grep password /tmp/sosreport-oracular-openstack-2024-12-03-qmzqdpo/etc/mysql/debian.cnf
password = MLzJoxvfdq7iXvJu
password = MLzJoxvfdq7iXvJu
# Now enable proposed
root at oracular-openstack:~# sos report -o openstack_heat,openstack_placement,mysql --batch --build
<snip>
Setting up archive ...
Setting up plugins ...
Running plugins. Please wait ...
Starting 1/3 mysql [Running: mysql]
Starting 2/3 openstack_heat [Running: mysql openstack_heat]
Starting 3/3 openstack_placement [Running: mysql openstack_heat openstack_placement]
Finishing plugins [Running: mysql openstack_heat]
Finishing plugins [Running: mysql]
Finished running plugins
Your sos report build tree has been generated in:
/tmp/sosreport-oracular-openstack-2024-12-03-exguthq
root at oracular-openstack:~# sudo grep auth_encryption_key /tmp/sosreport-oracular-openstack-2024-12-03-exguthq/etc/heat/heat.conf
auth_encryption_key = *********
root at oracular-openstack:~# grep -E "NOVA_API_PASS|PLACEMENT_PASS" /tmp/sosreport-oracular-openstack-2024-12-03-exguthq/etc/placement/migrate-db.rc
NOVA_API_PASS=*********
PLACEMENT_PASS=*********
root at oracular-openstack:~# grep password /tmp/sosreport-oracular-openstack-2024-12-03-exguthq/etc/mysql/debian.cnf
password = *********
password = *********
** Tags removed: verification-needed verification-needed-oracular
** Tags added: verification-done verification-done-oracular
--
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2085607
Title:
[sru] Obfuscation issues in sosreport sos 4.7.2
Status in sosreport source package in Focal:
Fix Committed
Status in sosreport source package in Jammy:
Fix Committed
Status in sosreport source package in Noble:
Fix Committed
Status in sosreport source package in Oracular:
Fix Committed
Bug description:
[ Impact ]
When doing SRU for sos 4.7.2 we encountered obfuscation issues,
although not a regression at the time, it was still an issue that had
been present for a while
So, these passwords would be fully visible to the end support
personnel and therefore leaked passwords.
[ Test Plan ]
1. Deploy a sunbeam simple cloud, and run the sos report, check to see if passwords are obfuscated in configuration file
2. Deploy heat, and ensure auth_encryption_key is obfuscated in configuration file
3. Deploy placement, and ensure that both NOVA_API_PASS and PLACEMENT_PASS are obfuscated in configuration file
4. Deploy mysql and ensure password field is obfuscated in configuration file
[ Where problems could occur ]
The corresponding files are not obfuscated, and we need to update the
patches
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/focal/+source/sosreport/+bug/2085607/+subscriptions
More information about the Ubuntu-sponsors
mailing list