Open Profpatsch opened 3 years ago
Profpatsch
commented
3 years ago Since the save function also needs to read the password, it should probably be saved in a struct after the environment variable is unset. This is still not perfect (it could be read from the memory of the application), but better than leaking it to subprocesses by default.
cc @rubiojr
rubiojr
commented
3 years ago Thanks @Profpatsch, a common and valid concern that we can probably mitigate (see https://github.com/restic/restic/pull/2910 and https://github.com/restic/restic/issues/521 for example for similar discussions and other alternatives), though if you run Beehive in an untrusted environment or executing rogue code (say via exec bee or linked modules), you'll probably have bigger issues.
I need to revisit the cfg package for https://github.com/muesli/beehive/pull/310 at some point, so adding it to my list.
Happy to help with a review if you feel like addressing this yourself before that happens.
Profpatsch
commented
3 years ago though if you run Beehive in an untrusted environment or executing rogue code (say via exec bee or linked modules), you'll probably have bigger issues.
That is not the problem, the problem is with the environment variable accidentally leaking; you regularly have processes which dump the whole environment into log files for example.
juergenhoetzel
commented
2 years ago That is not the problem, the problem is with the environment variable accidentally leaking; you regularly have processes which dump the whole environment into log files for example.
Opened a PR to retrieve the secret from an external command: Add support for reading AES backend password from external command
The
-encryptoption introduced in https://github.com/muesli/beehive/pull/295 allows the config file to be encrypted via theBEEHIVE_CONFIG_PASSWORDenvironment variable:https://github.com/muesli/beehive/blob/57a4fabd506def6a9be960839466fce271771f58/cfg/aesbackend.go#L225-L239
In general, using an environment variable for a password is more secure than using a command line argument, with one caveat:
You need to unset the variable after reading it. Otherwise it will leak into any process that beehive spawns directly or indirectly and any library that is used by the bees, which is a security risk.