security: unnecessary and potentiall insecure call to os.ExpandEnv for --certs-dir #69412
Description
Problem description
Currently the code in the pkg/security package interprets the --certs-dir command-line flag using the Go function os.ExpandEnv.
This makes it possible to indirectly use environment variables when specifying the value of --certs-dir. For example, the user can type --certs-dir='$HOME/.certs'. Note the single quotes: the expansion is performed inside the process (by Go), not by the shell.
There are several problems with this approach:
-
it is surprising -- this type of expansion is extremely uncommon for the command-line flags of server services, and generally only used when parsing configuration files. The reason why it is uncommon is that there is already another mechanism that can do this, namely the shell's own expansion facilities, and therefore this double expansion is not really needed.
-
it makes it difficult/impossible to use in the (albeit unusual) case where the directory name on disk contains a dollar sign.
-
it may constitute a security vulnerability, as it enables the flag expansion to access arbitrary environment variables in the shell that launches crdb and observe their value by looking at the error messages upon certificate loads. For example, a malicious user that can indirectly control the flag can specify
--certs-dir=$COCKROACH_LICENSE_KEYand discover the env var value in the error message even if they don't have access to env vars otherwise.
Finally, this functionality is probably never used. We do not mention it in docs, and experience reading deployment scripts suggests it is not being used in practice.
Suggested resolution
Remove the call to os.ExpandEnv in the pkg/security package.
Jira issue: CRDB-9584