Removing logs/env.log

[Dieu Cao]

Hi,

We are planning on removing logs/env.log which contains a dump of environment variables that is written to when the container starts up.

This change will help address security concerns around writing clear text passwords to disk.

The apps' environment variables can now be retrieved via API as needed.

-Dieu

[Christopher Ferris]

https://www.pivotaltracker.com/n/projects/966314/stories/77151178

Chris

[Doug Davis]

While I understand the general concern that security folks typically have around putting passwords (in the clear) on disk, I'm wondering what the real security issue is here?  Does someone have access to the logs/env.log file (or to the warden container, and then implicitly that file) but not have access to the same list of env vars via the API?  

thanks
-Doug
________________________________________________________
STSM |  Standards Architect  |  IBM Software Group
(919) 254-6905  |  IBM 444-6905  |  d...@us.ibm.com
The more I'm around some people, the more I like my dog.

Christopher Ferris ---08/19/2014 08:55:30 AM---https://www.pivotaltracker.com/n/projects/966314/stories/77151178 Chris

--
You received this message because you are subscribed to the Google Groups "Cloud Foundry Developers" group.
To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/1923eacf-dded-4758-8319-1d16e2a5d5d6%40cloudfoundry.org.

To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.

[Mike Youngstrom]

I think today it is fairly well locked down.  However, it does provide another source of service credentials that you need to always be aware of.  For example, if fine grained security is completed this becomes another thing that users need to be aware of before giving someone file access to apps.  We also have a UI.  Security would prefer passwords be redacted where possible to help prevent over the shoulder casual vulnerabilities where we can.  That means that in our web file ui we need to add a special case for redact env.log file when a user views it.

Those are some examples of possible issues.  I think it is generally good practice to minimize the number of ways to acquire sensitive data.  env.log I believe is now less than useful than it was a few months ago.

Mike

To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/OF2FC30DE3.E69E9028-ON85257D39.0048F37D-85257D39.0049311A%40us.ibm.com.

[Doug Davis]

Mike,
  thanks for the background.  The file crawler app, and having to special case that one file, is a good usecase to think of.  But, at the same time, I can't help but think this is one of those cases where it provides the warm-fuzzy security blanket feeling but there really isn't much there since aside from the special case of a droplet viewer anyone who could get to that file probably already has access to the env vars via the API.  But, if it gets the security guys off our backs, ok....  :-)

thanks
-Doug
________________________________________________________
STSM |  Standards Architect  |  IBM Software Group
(919) 254-6905  |  IBM 444-6905  |  d...@us.ibm.com
The more I'm around some people, the more I like my dog.

Mike Youngstrom ---08/19/2014 01:16:02 PM---I think today it is fairly well locked down.  However, it does provide another source of service cre

To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/CAEoPEDqQdf7Jf1UHSVUK0w%3DrN_EtULQMsnyW6vF60mwbbCjLSA%40mail.gmail.com.

[Mike Youngstrom]

Yes, our submitting the PR today is a reaction to getting the security guys off our backs not because of a specific vulnerability.  We've also had hard enough of a time getting some of our more traditional users comfortable with the idea of credentials even being available on demand via the API.  Having them sitting in a file in their log directory is just another conversion I don't want to have with these users. :)

Mike

To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/OFA9297D5B.C67E9B0A-ON85257D39.005F1807-85257D39.005FA66D%40us.ibm.com.