Project

General

Profile

Bug #22283

ceph-volume - sudo logs commands to journal/syslog, incl. auth key

Added by Alwin Antreich over 1 year ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
11/30/2017
Due date:
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

As a side effect of running commands as sudo (#22282), all commands are logged to journal/syslog this includes the auth key of the osd.

Nov 30 14:11:24 sumi2 sudo[10587]:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/ceph-osd --cluster ceph --osd-objectstore bluestore --mkfs -i 15 --monmap /var/lib/ceph/osd/ceph-15/activate.monmap --key AQB7AyBa+2NjIhAAVN3xoje5foheGHKVZG+qfQ== --osd-data /var/lib/ceph/osd/ceph-15/ --osd-uuid 43e7b38b-80e7-47db-b64a-079ae4a39dd1 --setuser ceph --setgroup ceph
Nov 30 14:11:26 sumi2 sudo[10724]:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/systemctl start ceph-osd@15
Nov 30 14:11:26 sumi2 ceph-osd[10755]: starting osd.15 at - osd_data /var/lib/ceph/osd/ceph-15 /var/lib/ceph/osd/ceph-15/journal
Nov 30 14:11:27 sumi2 ceph-osd[10755]: 2017-11-30 14:11:27.167604 7f57921d0e00 -1 osd.15 0 log_to_monitors {default=true}
Nov 30 14:11:28 sumi2 ceph-osd[10755]: 2017-11-30 14:11:28.235797 7f57795fb700 -1 osd.15 0 waiting for initial osdmap
Nov 30 14:16:19 sumi2 sudo[12557]:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/ceph-osd --cluster ceph --osd-objectstore bluestore --mkfs -i 17 --monmap /var/lib/ceph/osd/ceph-17/activate.monmap --key AQCiBCBaGE06ExAAIWpHOgpAjhQneHdqhNEfyA== --osd-data /var/lib/ceph/osd/ceph-17/ --osd-uuid d0e1b24a-f780-4b74-b456-fc6d37236c6d --setuser ceph --setgroup ceph
Nov 30 14:16:21 sumi2 sudo[12692]:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/systemctl start ceph-osd@17
Nov 30 14:16:21 sumi2 ceph-osd[12700]: starting osd.17 at - osd_data /var/lib/ceph/osd/ceph-17 /var/lib/ceph/osd/ceph-17/journal
Nov 30 14:16:21 sumi2 ceph-osd[12700]: 2017-11-30 14:16:21.932381 7f5622572e00 -1 osd.17 0 log_to_monitors {default=true}
Nov 30 14:16:23 sumi2 ceph-osd[12700]: 2017-11-30 14:16:23.006502 7f560999d700 -1 osd.17 0 waiting for initial osdmap

As those log files are often transmitted off server, the auth key will be also exposed to a wider audience.

History

#1 Updated by Alfredo Deza over 1 year ago

  • Category set to 135

#2 Updated by Alfredo Deza over 1 year ago

We can safely remove all `sudo` additions to commands because we are already making sure that super user privileges are checked on commands that need them.

#3 Updated by Alfredo Deza over 1 year ago

  • Status changed from New to Verified

#4 Updated by Andrew Schoen over 1 year ago

  • Assignee set to Andrew Schoen

#5 Updated by Kefu Chai over 1 year ago

  • Status changed from Verified to Resolved

Also available in: Atom PDF