Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
6.6.0
-
Both windows and linux
-
Untriaged
-
1
-
No
Description
What's the issue?
There is a couple of places where 'cbbackupmgr' may implicitly scrape sensitive information where it shouldn't. For example:
1) 'cbbackupmgr' logs the S3 access keys at the beginning of running a sub-command (6.6.x+ only)
2) Some of the (platform specific) commands run when collecting system information may collect the command line arguments of other processes on the system.
Steps to reproduce #1
1) Install Couchbase server 6.6.0-7897 on a windows server 2016
2) Run backup to S3.
3) Run collect-logs in S3 using cbbackupmgr, logs collect ok but it display all S3 credentials in raw text.
|
-c localhost -u <ud>Administrator</ud> -p ******** -r backup -a s3://bkrepo --obj-access-key-id AKIAJP --obj-secret-access-key xzsNfaTXZWBf --obj-staging-dir /root/bk-staging --obj-region us-west-2
|
2020-08-04T22:48:59.413+00:00 (Cmd) mounted archive with id: 2b4c1837-86c1-4275-8934-9d138b2f7709
|
2020-08-04T22:48:59.415+00:00 (Rest) GET http://localhost:8091/pools 200
|
2020-08-04T22:48:59.419+00:00 (Rest) GET http://localhost:8091/pools/default 200
|
2020-08-04T22:48:59.424+00:00 (Rest) GET http://localhost:8091/pools/default/buckets 200
|
2020-08-04T22:48:59.468+00:00 (Rest) GET http://localhost:8091/pools/default/buckets 200
|
2020-08-04T22:48:59.473+00:00 (Rest) GET http://localhost:8091/pools/default/buckets/travel-sample 200
|
2020-08-04T22:48:59.475+00:00 (Rest) GET http://localhost:8091/pools 200
|
2020-08-04T22:48:59.475+00:00 (Cmd) Backing up cluster 759547ebd21e733e4173ad953bb0b196
|
2020-08-04T22:48:59.476+00:00 (Stats) Starting stat gathering - stat timestamp: 1596581339
|
2020-08-04T22:48:59.476+00:00 (Plan) Transferring cluster configuration
|
2020-08-04T22:48:59.477+00:00 (Rest)
|
We need to hide it as in password
This issue prevent upload logs to MB-40764
Attachments
Activity
Field | Original Value | New Value |
---|---|---|
Assignee | Patrick Varley [ pvarley ] | James Lee [ james.lee ] |
Summary | [CBM] cbbackupmgr collect-logs should not display raw access-key and secret-key in cbbackupmgr log file | cbbackupmgr 'cmdLineArgsToString' does not correctly mask object store credentials |
Fix Version/s | 6.6.0 [ 16787 ] |
Due Date | 05/Aug/20 |
Status | Open [ 1 ] | In Progress [ 3 ] |
Link | This issue blocks MB-38724 [ MB-38724 ] |
Labels | approved-for-6.6.0 |
Resolution | Fixed [ 1 ] | |
Status | In Progress [ 3 ] | Resolved [ 5 ] |
Assignee | James Lee [ james.lee ] | Thuan Nguyen [ thuan ] |
Resolution | Fixed [ 1 ] | |
Status | Resolved [ 5 ] | Reopened [ 4 ] |
Attachment | ss 2020-08-05 at 5.23.30 PM.png [ 103181 ] |
Assignee | Thuan Nguyen [ thuan ] | James Lee [ james.lee ] |
Link | This issue relates to MB-40783 [ MB-40783 ] |
Attachment | mac-os-cbbackupmgr-collectinfo-archive-2020-08-06T164507.zip [ 103255 ] |
Attachment | cbbackupmgr-collectinfo-couchbase-archive-2020-08-06T170212.zip [ 103256 ] |
Attachment | windows-cbbackupmgr-collectinfo-couchbase-archive-2020-08-06T122944.zip [ 103301 ] |
Assignee | James Lee [ james.lee ] | Thuan Nguyen [ thuan ] |
Resolution | Fixed [ 1 ] | |
Status | Reopened [ 4 ] | Resolved [ 5 ] |
Status | Resolved [ 5 ] | Closed [ 6 ] |
Link | This issue relates to CBD-3571 [ CBD-3571 ] |
Assignee | Thuan Nguyen [ thuan ] | James Lee [ james.lee ] |
Resolution | Fixed [ 1 ] | |
Status | Closed [ 6 ] | Reopened [ 4 ] |
Fix Version/s | 6.5.2 [ 17223 ] |
Link | This issue blocks MB-42583 [ MB-42583 ] |
Labels | approved-for-6.6.0 | approved-for-6.5.2 approved-for-6.6.0 |
Summary | cbbackupmgr 'cmdLineArgsToString' does not correctly mask object store credentials | cbbackupmgr shouldn't log/collect sensitive information |
Description |
Install Couchbase server 6.6.0-7897 on a windows server 2016
Run backup to S3. Run collect-logs in S3 using cbbackupmgr, logs collect ok but it display all S3 credentials in raw text. {noformat} -c localhost -u <ud>Administrator</ud> -p ******** -r backup -a s3://bkrepo --obj-access-key-id AKIAJP --obj-secret-access-key xzsNfaTXZWBf --obj-staging-dir /root/bk-staging --obj-region us-west-2 2020-08-04T22:48:59.413+00:00 (Cmd) mounted archive with id: 2b4c1837-86c1-4275-8934-9d138b2f7709 2020-08-04T22:48:59.415+00:00 (Rest) GET http://localhost:8091/pools 200 2020-08-04T22:48:59.419+00:00 (Rest) GET http://localhost:8091/pools/default 200 2020-08-04T22:48:59.424+00:00 (Rest) GET http://localhost:8091/pools/default/buckets 200 2020-08-04T22:48:59.468+00:00 (Rest) GET http://localhost:8091/pools/default/buckets 200 2020-08-04T22:48:59.473+00:00 (Rest) GET http://localhost:8091/pools/default/buckets/travel-sample 200 2020-08-04T22:48:59.475+00:00 (Rest) GET http://localhost:8091/pools 200 2020-08-04T22:48:59.475+00:00 (Cmd) Backing up cluster 759547ebd21e733e4173ad953bb0b196 2020-08-04T22:48:59.476+00:00 (Stats) Starting stat gathering - stat timestamp: 1596581339 2020-08-04T22:48:59.476+00:00 (Plan) Transferring cluster configuration 2020-08-04T22:48:59.477+00:00 (Rest) {noformat} We need to hide it as in password This issue prevent upload logs to |
+What's the issue?+
There is a couple of places where '{{cbbackupmgr}}' may implicitly scrape sensitive information where it shouldn't. For example: 1) '{{cbbackupmgr}}' logs the S3 access keys at the beginning of running a sub-command (6.6.x+ only) 2) Some of the (platform specific) commands run when collecting system information may collect the command line arguments of other processes on the system. +Steps to reproduce #1+ 1) Install Couchbase server 6.6.0-7897 on a windows server 2016 2) Run backup to S3. 3) Run collect-logs in S3 using cbbackupmgr, logs collect ok but it display all S3 credentials in raw text. {noformat} -c localhost -u <ud>Administrator</ud> -p ******** -r backup -a s3://bkrepo --obj-access-key-id AKIAJP --obj-secret-access-key xzsNfaTXZWBf --obj-staging-dir /root/bk-staging --obj-region us-west-2 2020-08-04T22:48:59.413+00:00 (Cmd) mounted archive with id: 2b4c1837-86c1-4275-8934-9d138b2f7709 2020-08-04T22:48:59.415+00:00 (Rest) GET http://localhost:8091/pools 200 2020-08-04T22:48:59.419+00:00 (Rest) GET http://localhost:8091/pools/default 200 2020-08-04T22:48:59.424+00:00 (Rest) GET http://localhost:8091/pools/default/buckets 200 2020-08-04T22:48:59.468+00:00 (Rest) GET http://localhost:8091/pools/default/buckets 200 2020-08-04T22:48:59.473+00:00 (Rest) GET http://localhost:8091/pools/default/buckets/travel-sample 200 2020-08-04T22:48:59.475+00:00 (Rest) GET http://localhost:8091/pools 200 2020-08-04T22:48:59.475+00:00 (Cmd) Backing up cluster 759547ebd21e733e4173ad953bb0b196 2020-08-04T22:48:59.476+00:00 (Stats) Starting stat gathering - stat timestamp: 1596581339 2020-08-04T22:48:59.476+00:00 (Plan) Transferring cluster configuration 2020-08-04T22:48:59.477+00:00 (Rest) {noformat} We need to hide it as in password This issue prevent upload logs to |
Status | Reopened [ 4 ] | In Progress [ 3 ] |
Assignee | James Lee [ james.lee ] | Thuan Nguyen [ thuan ] |
Resolution | Fixed [ 1 ] | |
Status | In Progress [ 3 ] | Resolved [ 5 ] |
Assignee | Thuan Nguyen [ thuan ] | James Lee [ james.lee ] |
Resolution | Fixed [ 1 ] | |
Status | Resolved [ 5 ] | Reopened [ 4 ] |
Assignee | James Lee [ james.lee ] | Thuan Nguyen [ thuan ] |
Resolution | Fixed [ 1 ] | |
Status | Reopened [ 4 ] | Resolved [ 5 ] |
Attachment | cbbackupmgr-collectinfo-my_archive-2021-01-28T182737.zip [ 124273 ] |
Attachment | cbbackupmgr-collectinfo-my_archive-2021-01-28T182737 2.zip [ 124274 ] |
Attachment | cbbackupmgr-collectinfo-my_archive-2021-01-28T185045.zip [ 124275 ] |
Status | Resolved [ 5 ] | Closed [ 6 ] |
I tried again with --redact flag, collect-logs still has raw access key and secret key in log.