security: remove unnecessary calls to os.ExpandEnv#81298
Merged
craig[bot] merged 1 commit intocockroachdb:masterfrom May 16, 2022
Merged
security: remove unnecessary calls to os.ExpandEnv#81298craig[bot] merged 1 commit intocockroachdb:masterfrom
craig[bot] merged 1 commit intocockroachdb:masterfrom
Conversation
Previously to this patch, the code in the pkg/security package interpreted the `--certs-dir` command-line flag using the Go function `os.ExpandEnv`. This mades it possible to indirectly use environment variables when specifying the value of `--certs-dir`. For example, the user could type `--certs-dir='$HOME/.certs'`. Note the single quotes: the expansion is performed inside the process (by Go), not by the shell. There are several problems with this approach: - it is surprising -- this type of expansion is extremely uncommon for the command-line flags of server services, and generally only used when parsing configuration files. The reason why it is uncommon is that there is already another mechanism that can do this, namely the shell's own expansion facilities, and therefore this double expansion is not really needed. - it makes it difficult/impossible to use in the (albeit unusual) case where the directory name on disk contains a dollar sign. - it may constitute a security vulnerability, as it enables the flag expansion to access arbitrary environment variables in the shell that launches crdb and observe their value by looking at the error messages upon certificate loads. For example, a malicious user that can indirectly control the flag can specify `--certs-dir=$COCKROACH_LICENSE_KEY` and discover the env var value in the error message even if they don't have access to env vars otherwise. Finally, this functionality is probably never used. We do not mention it in docs, and experience reading deployment scripts suggests it is not being used in practice. Release note (backward-incompatible change): CockroachDB does not perform env var expansion in the parameter `--certs-dir` anymore. This was an undocumented feature. Uses like `--certs-dir='$HOME/path'` (expansion by CockroachDB) can be replaced by `--certs-dir="$HOME/path"` (expansion by the unix shell).
Member
|
This change is |
kpatron-cockroachlabs
approved these changes
May 16, 2022
Contributor
kpatron-cockroachlabs
left a comment
There was a problem hiding this comment.
Wow that's some super weird behavior.
Reviewed 1 of 2 files at r1, all commit messages.
Reviewable status:complete! 0 of 0 LGTMs obtained (waiting on @catj-cockroach)
Contributor
Author
|
TFYR! bors r=kpatron-cockroachlabs |
Contributor
|
Build succeeded: |
knz
added a commit
to knz/cockroach
that referenced
this pull request
May 28, 2022
This is leftover work from cockroachdb#81298. Release note: None
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #69412.
Previously to this patch, the code in the pkg/security package
interpreted the
--certs-dircommand-line flag using the Go functionos.ExpandEnv.This mades it possible to indirectly use environment variables when
specifying the value of
--certs-dir. For example, the user could type--certs-dir='$HOME/.certs'. Note the single quotes: the expansion isperformed inside the process (by Go), not by the shell.
There are several problems with this approach:
it is surprising -- this type of expansion is extremely uncommon for
the command-line flags of server services, and generally only used
when parsing configuration files. The reason why it is uncommon is
that there is already another mechanism that can do this, namely the
shell's own expansion facilities, and therefore this double expansion
is not really needed.
it makes it difficult/impossible to use in the (albeit unusual) case
where the directory name on disk contains a dollar sign.
it may constitute a security vulnerability, as it enables the flag
expansion to access arbitrary environment variables in the shell that
launches crdb and observe their value by looking at the error messages
upon certificate loads. For example, a malicious user that can
indirectly control the flag can specify
--certs-dir=$COCKROACH_LICENSE_KEYand discover the env var value inthe error message even if they don't have access to env vars
otherwise.
Finally, this functionality is probably never used. We do not mention
it in docs, and experience reading deployment scripts suggests it is
not being used in practice.
Release note (backward-incompatible change): CockroachDB does not
perform env var expansion in the parameter
--certs-diranymore. Thiswas an undocumented feature. Uses like
--certs-dir='$HOME/path'(expansion by CockroachDB) can bereplaced by
--certs-dir="$HOME/path"(expansion by the unix shell).