Bugzilla – Bug 1225432
[Agama][Milestone8+] iSCSI Discovery Passwords are logged into y2log in plain text
Last modified: 2024-06-12 08:30:02 UTC
Created attachment 875149 [details] Snippet of the log When iSCSI Targets are being discovered in Agama, the iSCSI library logs all the details. Sadly, also including passwords. How to reproduce? Easily -> Start Agama Installer -> Go to Storage details -> Click Prepare devices by configuring advanced storage technologies -> Choose iSCSI -> Click Discover iSCSI targets -> Fill-up some users/passwords -> Click Confirm This will be most probably the same in YaST as well because it uses the same library. BTW, there are two entries for user/password, but you can see only the first one in the log. That's most probably because the second one would be used later, if the first one succeeds (not my case). Additionally, even the save_y2logs script does not remove the passwords. maybe because the string in the log this: {"name"=>"discovery.sendtargets.auth.password", "value"=>"and their password", "kind"=>"value", "type"=>1, "comment"=>""}
Created attachment 875150 [details] The dialog for searching for iSCSI...
Created attachment 875151 [details] YaST logs with more details
This should be as easy as replacing attr_accessor :password with secret_attr :password and adding require "yast2/secret_attributes" class ... include Yast2::SecretAttributes
Have not checked it deeper but.. https://github.com/yast/yast-iscsi-client/blob/920ffae4b15dee0fb5f075d59b6f169679bb7a94/src/lib/y2iscsi_client/config.rb#L44 We are logging the raw_data read which includes everything...
>> 08:56:08 <1> [Ruby] modules/IscsiClientLib.rb(oldConfig):422 >> Store temporary config #<Y2IscsiClient::Config:0x00007f4a91d6b310 @raw_data=... >> 09:18:29 <1> [Ruby] modules/IscsiClientLib.rb(oldConfig):422 >> Store temporary config #<Y2IscsiClient::Config:0x00007f4a91d6b310 @raw_data=... https://github.com/yast/yast-iscsi-client/blob/master/src/modules/IscsiClientLib.rb#L422 >> Builtins.y2milestone("Store temporary config %1", @config) Not sure if that log line is ever going to be very helpful to us.
This @config is an array of hashes, not a real class, so using 'secret_attr' will not help. It's buried here: https://github.com/yast/yast-iscsi-client/blob/master/src/lib/y2iscsi_client/config.rb I suggest to simply remove that y2milestone line (see comment #5).
Fix: https://github.com/yast/yast-iscsi-client/pull/128
The fix will become available with yast2-iscsi-client-5.0.2.
SR to OBS openSUSE:Factory: https://build.opensuse.org/request/show/1177328
This also affects yast-iscsi-client as a standalone YaST module as well as using iSCSI during a YaST installation. Backport to SLE-15-SP5: PR: https://github.com/yast/yast-iscsi-client/pull/129 SR to IBS SLE-15-SP5: https://build.suse.de/request/show/332524 Backport to SLE-15-SP6: PR: https://github.com/yast/yast-iscsi-client/pull/130 The SR failed with a HTTP 403 :-( "The target project SUSE:SLE-15-SP6:GA is not accepting requests because: Project is locked."
SUSE-RU-2024:2004-1: An update that has one fix can now be installed. Category: recommended (moderate) Bug References: 1225432 Maintenance Incident: [SUSE:Maintenance:34090](https://smelt.suse.de/incident/34090/) Sources used: openSUSE Leap 15.5 (src): yast2-iscsi-client-4.5.9-150500.3.6.2 Basesystem Module 15-SP5 (src): yast2-iscsi-client-4.5.9-150500.3.6.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.