Open freedge opened 4 months ago
@freedge
sensitiveMountOptions
is used in k8s smb mount, that's a common practice, it won't appear in the csi driver logs
if you use -o credentials=/path/to/credentials/file
, the password would be stored in the credential file, that's also a security issue.
mount -t cifs //server/share /mnt/mountpoint -o credentials=/path/to/credentials/file
the process table is readable by any user (in the pid namespace) while a file benefits from user permissions and is not recorded by auditing tools. Here it should probably be a file in memory under /run or a pipe file descriptor, created for the duration of the mount call. Or passed through stdin as an alternative.
(some guidelines https://clig.dev/#arguments-and-flags)
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
/remove-lifecycle stale still very much a secret leaking on the command line
What happened:
the cifs credentials are given as mount process arguments, so they appear in the process table and are recorded by auditing tools https://github.com/kubernetes-sigs/azurefile-csi-driver/blob/54a024d295477f8696a43097a5a50675298038e8/pkg/azurefile/nodeserver.go#L317-L318
the documentation this refers too is also wrong.
What you expected to happen:
no password appearing in the process table, use
-o credentials=
insteadHow to reproduce it:
Anything else we need to know?:
this is what stackrox finds
Environment:
kubectl version
): v1.25.12 as bundled in OCP 4.12uname -a
):