Open freedge opened 4 months ago
andyzhangx
commented
4 months ago @freedge
sensitiveMountOptions is used in k8s smb mount, that's a common practice, it won't appear in the csi driver logs
if you use -o credentials=/path/to/credentials/file, the password would be stored in the credential file, that's also a security issue.
mount -t cifs //server/share /mnt/mountpoint -o credentials=/path/to/credentials/file
freedge
commented
4 months ago the process table is readable by any user (in the pid namespace) while a file benefits from user permissions and is not recorded by auditing tools. Here it should probably be a file in memory under /run or a pipe file descriptor, created for the duration of the mount call. Or passed through stdin as an alternative.
(some guidelines https://clig.dev/#arguments-and-flags)
k8s-triage-robot
commented
1 month ago The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale is appliedlifecycle/stale was applied, lifecycle/rotten is appliedlifecycle/rotten was applied, the issue is closedYou can:
/remove-lifecycle stale/closePlease send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
freedge
commented
1 month ago /remove-lifecycle stale still very much a secret leaking on the command line
What happened:
the cifs credentials are given as mount process arguments, so they appear in the process table and are recorded by auditing tools https://github.com/kubernetes-sigs/azurefile-csi-driver/blob/54a024d295477f8696a43097a5a50675298038e8/pkg/azurefile/nodeserver.go#L317-L318
the documentation this refers too is also wrong.
What you expected to happen:
no password appearing in the process table, use
-o credentials=insteadHow to reproduce it:
Anything else we need to know?:
this is what stackrox finds
Environment:
kubectl version): v1.25.12 as bundled in OCP 4.12uname -a):