#1038139 debci-worker: Process leaks authentication data via amqp-tools

Package:
debci
Source:
debci
Submitter:
Christian Kastner
Date:
2023-07-06 12:36:02 UTC
Severity:
normal
Tags:
#1038139#5
Date:
2023-06-15 20:48:57 UTC
From:
To:
Hi,

When using authentication in AMQP connections, the username and password
supplied in the --url option to amqp-consume resp. amqp-publish are
exposed in the proces list, see #1037322:

  $ pgrep -a ampq-consume
  62287 amqp-consume --url amqp://user:pass@192.168.0.1 --queue=myqueue

A patch has been accepted upstream to read the username and password
from a file. I assume this will make its way into ampq-tools soon.

Unless I'm mistaken, debci will need to be updated for this, e.g. by
adding a debci_amqp_pwfile config option + NEWS entry suggesting that
people migrate to this new option. I'd be happy to file an MR for this,
once ampq-tools has been fixed.

Best,
Christian
#1038139#10
Date:
2023-06-16 15:56:21 UTC
From:
To:
Note that the variable where you inserted a username and password is
calle debci_amqp_server, and was never supposed to be used for putting a
password in plain text. For the c.d.n deployment we use SSL client
certificates for authentication, and that's why the variables
debci_amqp_cacert, debci_amqp_cert, debci_amqp_key are there.

IMO that is no different from any other program that takes a url as a
command line parameter: you can pass a URL containing a username and
password, but then that's on you.
#1038139#15
Date:
2023-06-16 16:23:09 UTC
From:
To:
I think this is where the documentation of the --amqp option threw me
off, from debci(1):


Yeah, I was guessing as much.

I just wanted to make sure that in the case of only the server
certificate + client auth/pass, there's a safer way to do that.

Indeed. I only mentioned it since it's not entirely obvious for a
first-time debci user that the debci_amqp_server config option is passed
on via CLI to some other utility, rather than consumed by a library, or
similar.

Best,
Christian