I have a cluster of servers, each with configuration files that currently contain plain-text passwords for sensitive, mission-critical systems (message queues, data stores, and other services).
Some people move critical passwords out of configuration files into an environment variable of the user accounts under which the server processes run. In this way, configuration files can be committed to version control, and the system administrator only needs to create an appropriate environment variable when the server system is set up. Naturally, access to the accounts that run these services is very restricted.
Is this really the best way to avoid passwords in plain-text configuration files, or is there a better way?
Answer
If you're on a Linux system, look at /proc/*/environ and decide if environment variables are a good place to store sensitive information or not. /proc/self is the current process:
$ tr '\0' '\n' < /proc/self/environ
USER=me
LOGNAME=me
HOME=/home/me
PATH=/usr/bin:/bin:/usr/sbin:/sbin
MAIL=/var/mail/me
SHELL=/usr/bin/sh
SSH_CLIENT=1.2.3.4 58195 22
SSH_CONNECTION=1.2.3.4 58195 7.8.9.0 22
SSH_TTY=/dev/pts/1
TERM=xterm
Never mind that the thing setting the environment variable is probably reading a file somewhere.
The thing to remember is that using a password means the password is available to the program. If this password is not provided by a user typing it in every time a program needs it, that password must be accessible based on only the program's access. You can encrypt the password locally and have the program decrypt using a key, but all that does is obscure the password against accidental disclosure; someone who has the same access as the program can do the same things the program can do, which includes reading the encryption key.
The right way to do this is to have the application run as a restricted account, and store the password in a file protected with filesystem-level permissions. Hopefully you can "include" a file or similar in order to keep the password out of a version control system (assuming the VCS has no security controls). To protect against inadvertent disclosure, obscure the password however you want - base64 encode it, use pgp to encrypt, whatever makes sense in your server program's set of options. If you're writing a program to do this, about the best you can do is to prompt a user for the password only when needed, and then purge that password from memory as soon as it's used.
No comments:
Post a Comment