search

nextcloud / server

☁️ Nextcloud server, a safe home for all your data
https://nextcloud.com
GNU Affero General Public License v3.0
26.85k stars 4.01k forks source link

Pass passwords to `occ maintenance:install` via files/stdin/env variables #6185

Open nephilim75 opened 7 years ago

nephilim75 commented 7 years ago

Hej

I use this command to finish my installation:

sudo -u www-data php occ maintenance:install --database "mysql" --database-name "nextcloud"  --database-user "root" --database-pass "password" --admin-user "admin" --admin-pass "password"

This is working perfectly fine. :-)

But as I want to script this I'd like to avoid adding visible password credentials of database user (root) in this script. MySQL has an option called -defaults-file to handle this. Is it poissible to use it with this 'occ command' as well?

If not, what possibilities do I have to reach the same result like the occ command?

Kind regards /neph

MorrisJobke commented 7 years ago

Wasn't there the option to pass in that stuff via env variables? @nickvergessen @Gomez ?

nickvergessen commented 7 years ago

Not for install

rullzer commented 7 years ago

But if you script it. You can just pass env variables to that script...

Kixunil commented 3 years ago

@rullzer that doesn't help because other processes can see anything on the command line. This design makes any automated installation inherently insecure.

Additionally I think that in some environment even env vars are not secure. Ideally password should be read from a file, or better, whole configuration should be read from a file as requested in #8524

melato commented 2 years ago

This is also an issue for the --admin-pass password.

sudo (and "doas" in Alpine Linux) writes the whole command line, including the passwords, to the system log (such as /var/log/messages). So the database and the admin passwords are saved in a log file that is often forgotten and may stay around for a long time. The error log may be processed by various error log processing programs or services. The admin password is even more risky than the database password, because it can be used from the internet.

Having a flag like --password-from-env (as in occ user:add, user:resetpassword) does not necessarily solve this problem, because sudo does not propagate arbitrary environment variables like OC_PASS. If you use "sudo env OC_PASS=... php occ ..." then you put the password in the command line again.

The solution I've found for not saving passwords in the system log is to use "sudo -u " to call a program that generates the password or reads it from a file and then calls occ without calling sudo again.

I am less concerned about passwords being passed as process arguments, because I have no other users who might be snooping. If there are hypervisor users beyond my control that might be spying on my system, they could just as well be spying on password files.

joshtrichards commented 4 months ago

Related: #8524