jjmonsalveg
commented
7 years ago hello! @rroemhild in version 17.01 this file docker-20_ejabberd_register_users.sh prints the password in stdout in plain text this exposes the credentials of the users
Open jjmonsalveg opened 7 years ago
jjmonsalveg
commented
7 years ago hello! @rroemhild in version 17.01 this file docker-20_ejabberd_register_users.sh prints the password in stdout in plain text this exposes the credentials of the users
rroemhild
commented
7 years ago Hi @jjmonsalveg, this could be solved with another envvar. Something like EJABBERD_EXPOSE_CREDENTIALS true or false and hide user passwords if set to false.
jjmonsalveg
commented
7 years ago That is a good idea or you can also take advantage of the variable EJABBERD_LOGLEVEL when it has value 5 (debug) ejabberd also shows the credentials
rroemhild
commented
7 years ago Why should we hide the password at all? If it's an security issue then the user should be created with the API or located on a different database, i.e. LDAP, MySQL. If you set the password in the environment variable, others with access can see the environment variable from the running container too.
The idea to print the password to STDOUT is for fast and simple setup or for tests.
I think passwords set via environment or generated by the random password generator are just for the first start and should be changed immediately in an production environment.
Do you agree? What are your thoughts why we should hide the password from stdout?
jjmonsalveg
commented
7 years ago Hello again, @rroemhild thanks for responding. As I mentioned above when running the container:
docker run \ --name "ejabberd" \ -p 5222:5222 \ -p 5269:5269 \ -p 5280:5280 \ -h 'xmpp.example.de' \ -e "XMPP_DOMAIN=example.de" \ -e "ERLANG_NODE=ejabberd" \ -e "EJABBERD_ADMINS=admin@example.de admin2@example.de" \ -e "EJABBERD_USERS=admin@example.de:password1234 admin2@example.de" \ -e "TZ=Europe/Berlin" \ rroemhild/ejabberd:17.01
It produces this result in stdout log:
User admin@example.de successfully registered Password for user admin@example.de is password1234 User admin2@example.de successfully registered Password for user admin2@example.de is poW1DSrZf9f68ExE
If we run it by adding "EJABBERD_LOGLEVEL = 5":
docker run --name "ejabberd" -p 5222:5222 -p 5269:5269 -p 5280:5280 -h \ 'xmpp.example.de' -e "XMPP_DOMAIN=example.de" -e "ERLANG_NODE=ejabberd" -e \ "EJABBERD_ADMINS=admin@example.de admin2@example.de" -e \ "EJABBERD_USERS=admin@example.de:password1234 admin2@example.de" -e \ "TZ=Europe/Berlin" -e "EJABBERD_LOGLEVEL=5" rroemhild/ejabberd:17.01
Then in stdout log we can see a more verbose output from the ejabberd technology added to the echo of your docker-20_ejabberd_register_users.sh:
17:08:44.657 [debug] Command 'register' execution allowed by rule 'console commands' (CallerInfo=#{caller_module => ejabberd_ctl}) 17:08:44.657 [debug] Executing command ejabberd_admin:register with Args=[<<"admin">>,<<"example.de">>,<<"password1234">>] User admin@example.de successfully registered Password for user admin@example.de is password1234 17:08:44.846 [debug] Command 'register' execution allowed by rule 'console commands' (CallerInfo=#{caller_module => ejabberd_ctl}) 17:08:44.846 [debug] Executing command ejabberd_admin:register with Args=[<<"admin2">>,<<"example.de">>,<<"hR8CZxl15JHfzMUl">>] User admin2@example.de successfully registered Password for user admin2@example.de is hR8CZxl15JHfzMUl
I see three options for obtaining the "desired" operation:
I explain why I expose the case, what happens is that I use docker cloud and any user authorized to enter from a web browser (any member of the team of developers) can see the credentials of the users in plain text from the log, the log is Shown from the docker cloud web interface, so for a development / test environment is phenomenal but for production maybe not. Solve this taken option 2 for my production environment I deleted the echo and use EJABBERD_LOGLEVEL less than 5
Hello, When running the container:
In the log the passwords are shown in plain text, how can I avoid this ?:
Can someone help me please? thanks