Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-20903

password is passed on cmdline and can be captured by any linux user

XMLWordPrintable

    • Low
    • None

      Description of problem:
      The password for `satellite-change-hostname` is passed on command line. This is not good practice as the password can be captured using the `ps aux` command if executed in the time window when the `sattelite-change-hostname` process is running.

      Version-Release number of selected component (if applicable):
      satellite-6.10.0-0.9.beta.el7sat.noarch

      How reproducible:
      always

      Steps to Reproduce:
      1. run `satellite-change-hostname dhcp-2-193.vms.sat.rdu2.redhat.com -u admin -p PASSWORD`
      2. in parallel with step 1. run `ps aux | grep satellite`
      3.

      Actual results:
      [root@localhost ~]# ps aux | grep sat
      root 43075 2.3 0.0 211388 20128 pts/0 Sl+ 08:22 0:00 ruby /usr/sbin/satellite-change-hostname dhcp-2-193.vms.sat.rdu2.redhat.com -u admin -p PASSWORD

      Expected results:

      • There is a way to pass the password using environ variable for scripted scenarios
      • The password can be read from the prompt.
      • There is no way to input the password trough insecure channel like command line

      Additional info:

            jira-bugzilla-migration RH Bugzilla Integration
            jira-bugzilla-migration RH Bugzilla Integration
            RH Bugzilla Integration RH Bugzilla Integration
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: