Mask user credentials in ps output of pbm-agent

Description

 

 

Environment

None

AFFECTED CS IDs

273519 CS0018383

Smart Checklist

Activity

Jira Bot July 30, 2021 at 10:56 AM

To:
CC:

Hi, I'm jira-bot, Percona's Jira automation tool. I've detected that someone from
Percona has made an edit to the Summary field of an issue that you reported.

I'm not sentient (yet) so I'm not sure whether the person fixed a typo, changed
a few words, or completely rewrote the text. In any case, it is Percona Engineering's
intention to make the Summary and Description of an issue as accurate as possible
so that we're fixing the actual problem you're encountering, and to avoid
misunderstandings about symptoms and causes.

If the current Summary does not accurately reflect the problem you are reporting,
or if you feel the change was otherwise inappropriate in some way, please add a
new comment explaining things and we'll address it as soon as we can.

This message will be added only once per issue, regardless of how many times
the Summary is edited.

message-code:summary-edited

Akira Kurogane February 17, 2020 at 1:21 PM

Note: if/when we apply this feature we can consider reverting . Just a thought; I'm not strongly for or against ti.

Akira Kurogane January 15, 2020 at 1:01 AM
Edited

Hi Jericho!

For readers at the moment (with PBM v<= v1.1):

"ps -o args" prints what is in /proc/<pid>/cmdline.


A programmatic fix to redact the username and password from a commandline --mongodb-uri argument is to do the following after start:

  • Read the whole cmdline string from /proc/self/cmdline

  • Check for the presence of a "--mongodb-uri[=|\s+]\S+" match in that cmdline string. Exit if none.

  • Parse the URI string using url.Parse(). Exit if the UserInfo parts are empty.

  • Redact the UserInfo part. (TBD: Just the password or both the username and password.)

  • If we can assume redacted URI length is <= original URI then overwrite existing memory:

    • Something like: memset(*argv, 0, strlen(*argv)); (done somehow in golang)

  • If we can't assume redacted URI is <= original URI length then make a new cmdline:

    • Put the entire cmdline string with the redacted --mongodb-uri somewhere else in the stack memory

    • Use the prctl(2) syscall with PR_SET_MM_ARG_START+PR_SET_MM_ARG_END (done somehow in golang)

See https://unix.stackexchange.com/questions/302948/change-proc-pid-environ-after-process-start for ways to do it in C, on Linux. The question asks how to overwrite environ, but the answers applies to cmdline as well.
See https://stackoverflow.com/questions/14926020/setting-process-name-as-seen-by-ps-in-go for ways to do it in Go.

Done

Details

Assignee

Reporter

Time tracking

7h 40m logged

Fix versions

Affects versions

Priority

Smart Checklist

Created January 14, 2020 at 1:05 PM
Updated March 5, 2024 at 7:18 PM
Resolved July 6, 2021 at 12:57 PM