Open rondagostino opened 5 years ago
patrickcrocker
commented
5 years ago The debug flag is an undocumented feature to help me when I have to troubleshoot the resource. It's can be incredibly useful, but yes it does have security implications. I'm open to options for achieving the same result in a more secure fashion... If we can't come up with anything, i'm open to removing it. Let me know your thoughts.
rondagostino
commented
5 years ago Thanks, yes, I agree it is very helpful (I couldn't have solved my problems without it). I can only think of 3 possible solutions. One possibility is to selectively enable/disable the output so that sensitive material is not emitted. It decreases the utility of the feature, and even if it can be done it means maintaining it to be sure nothing sensitive is accidentally exposed, but it keeps as much of the feature as possible. Another possibility is to somehow introspect the Concourse environment itself and not support the feature if the instance administrator somehow sets an environment variable or other such flag to indicate that this is a "secure" or "production" instance of Concourse. A final possibility that I can think of is to maintain 2 separate distributions: one that supports the flag and another that does not.
I hope these thoughts help.
If I specify
debug: trueI can see in the job output everything that happens, including the determination of usernames and passwords. Isn't this is a security issue? Should there be a way to prevent debug from being turned on somehow?