Uploaded image for project: 'jclouds'
  1. jclouds
  2. JCLOUDS-623

Insecure passing of password to sudo on SubmitScriptOnNode with initscript.

Attach filesAttach ScreenshotAdd voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.8.0
    • None
    • jclouds-compute

    Description

      In the file SudoAwareInitManager sudo is used to grant superuser access to execute the initscript.

      This can be observed at line 116 of https://github.com/jclouds/jclouds/blob/4c74b497547e42b8bdc94dbae3d4cd94ff3945d6/compute/src/main/java/org/jclouds/compute/callables/SudoAwareInitManager.java

      command = String.format("echo '%s'|sudo -S %s %s", node.getCredentials().getPassword(),

      The problem is that submitting providing the password as cleartext means it can be intercepted for example in 'ps' by another user.

      In another file the password is not echo'd and piped in but redirected:
      https://github.com/jclouds/jclouds/blob/4c74b497547e42b8bdc94dbae3d4cd94ff3945d6/compute/src/main/java/org/jclouds/compute/callables/RunScriptOnNodeUsingSsh.java

      I am unsure if this is more secure, but the command as a whole gets transmitted to the remote shell I believe.

      I propose using execChannel instead of 'exec' of SshClient for all commands and use InputStream/Outputstreams to 'catch' sudo asking for a password and only if asked print it.
      This also allows for better error control as we can catch if sudo was succesful or not far earlier in the script execution process.

      Instead of just "sudo -S command" I propose the following more elaborate command:

      randomint=1231443
      prompt = "[sudo] jclouds-$randomint requires a password: "
      successkey = SUCCESS-$randomint

      sudo -k && sudo -H -S -p "$prompt" -u root /bin/sh -c "echo $successkey && /command/to/execute"

      This deserves some explaining. sudo -k kills any active sudo session. The -p means that the prompt provided will be shown to the user. This allows us to always be able to catch this output and with $randomint inserted we are sure that it is a password prompt.

      In stderr we catch prompt and then pass the password to the stdin. Then we listen to stdout to catch "SUCCESS-$randomint" with $randomint being the same as the prompt. If any other output other than that succeskey shows up we know it is not succesful.

      This insight into using sudo this way comes from the way that Ansible is implemented.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            wernerbu Werner Buck

            Dates

              Created:
              Updated:

              Slack

                Issue deployment