#3443 Issue open: 001_verify_config_arrays.sh leaks secrets in arrays¶

Labels: enhancement

jsmeix opened issue at 2025-04-03 11:53:¶

ReaR version¶

current master code

Describe the ReaR bug in detail¶

When there is a secret in an array
001_verify_config_arrays.sh leaks it.

For my test have in local.conf

{ MY_PASSWORDS=( my_actual_password ) ; } 2>>/dev/$SECRET_OUTPUT_DEV

and in the bash where I later run 'rear -D help' I did

# MY_PASSWORDS=( my_dummy_password )

and then I run 'rear -D help'

# usr/sbin/rear -D help
Sourced files must be owned by one of the TRUSTED_OWNERS: root
Sourced files must be below one of the TRUSTED_PATHS: /root/rear.github.master/ /usr/ /etc/ /lib/
Running 'init' stage ======================
Running workflow help on the normal/original system
...
Running exit tasks

and got in the ReaR debug log file

# egrep ' Including |my_.*_password' var/log/rear/rear-localhost.log.lockless

...
2025-04-03 13:50:35.758115681 Including /root/rear.github.master/etc/rear/local.conf
2025-04-03 13:50:35.848891575 Including init/default/001_verify_config_arrays.sh
++ [[ { MY_PASSWORDS=( my_actual_password ) ; } 2>>/dev/$SECRET_OUTPUT_DEV == *MY_PASSWORDS?(+)=\(* ]]
2025-04-03 13:50:36.438710494 Including init/default/002_check_rear_recover_mode.sh
...

The same would also happen
if we used an arry for secrets in default.conf like

{ MY_PASSWORDS=() ; } 2>>/dev/$SECRET_OUTPUT_DEV

Currently we do not use an array in ReaR for secret values
(currently we only use strings for secret values):

# grep SECRET_OUTPUT_DEV usr/share/rear/conf/default.conf  | grep -v '^#'

{ OPAL_PBA_DEBUG_PASSWORD='' ; } 2>>/dev/$SECRET_OUTPUT_DEV
{ OPAL_PBA_TKNKEY='tpm:opalauthtoken:7' ; } 2>>/dev/$SECRET_OUTPUT_DEV
{ OUTPUT_LFTP_PASSWORD=${OUTPUT_LFTP_PASSWORD:-} ; } 2>>/dev/$SECRET_OUTPUT_DEV
{ BACKUP_PROG_CRYPT_KEY="${BACKUP_PROG_CRYPT_KEY:-}" ; } 2>>/dev/$SECRET_OUTPUT_DEV
{ TTY_ROOT_PASSWORD='' ; } 2>>/dev/$SECRET_OUTPUT_DEV
{ SSH_ROOT_PASSWORD='' ; } 2>>/dev/$SECRET_OUTPUT_DEV
{ GALAXY11_PASSWORD=${GALAXY11_PASSWORD:-} ; } 2>>/dev/$SECRET_OUTPUT_DEV
{ ZYPPER_ROOT_PASSWORD='root' ; } 2>>/dev/$SECRET_OUTPUT_DEV
{ YUM_ROOT_PASSWORD='root' ; } 2>>/dev/$SECRET_OUTPUT_DEV
{ VEEAM_PASSWORD="${VEEAM_PASSWORD:-}" ; } 2>>/dev/$SECRET_OUTPUT_DEV

jsmeix commented at 2025-04-03 11:56:¶

All declare -p code places in ReaR need thorough investigation
plus generic means to not leak secrets - also not by accident:

# find usr/sbin/rear usr/share/rear/ -type f | xargs grep 'declare -p' | grep -v ': *#'

usr/share/rear/init/default/998_dump_variables.sh:
if { LogSecret "Runtime Configuration:$LF$( declare -p )" ; } 2>>/dev/$SECRET_OUTPUT_DEV ; then

usr/share/rear/init/default/001_verify_config_arrays.sh:
    declare -p | sed -n -E -e '/^declare -a/s/declare [-arxlu]+ ([A-Za-z0-9_-]+)=.*/\1/p'

usr/share/rear/rescue/RSYNC/default/600_store_RSYNC_variables.sh:
declare -p ${!RSYNC*} | sed -e 's/declare .. //' | grep -v BACKUP_RSYNC_OPTIONS >>$ROOTFS_DIR/etc/rear/rescue.conf

usr/share/rear/lib/rear-shell.bashrc:
    declare -p $(compgen -v | grep -iF "${1:-_}")

usr/share/rear/lib/dump-workflow.sh:
            LogUserOutput "$( declare -p $variable_name | sed -e 's/^/  /' )"
            LogUserOutput "$( declare -p $variable_name | sed -e 's/^declare -[[:alpha:]-]* /  /' -e 's/\([( ]\)\[[[:digit:]]\+\]=/\1/g' )"

usr/share/rear/lib/shell-workflow.sh:
    export REAR_EVAL="$(declare -p | grep -Ev 'declare .. (VERBOSE|MASTER_PID|WORKING_DIR|MASKS)=.*')"

For example 'declare -p' leaks secrets by accident
when "$variable_name" is empty in

declare -p $variable_name

because plain declare -p prints all variables values
as in https://github.com/rear/rear/issues/2967
see also
https://github.com/rear/rear/wiki/Coding-Style#beware-of-the-emptiness

For declare -p $variable_name quoting helps:

# var=''

# declare -p $var | wc -l
130

# declare -p "$var" | wc -l
bash: declare: : not found
0

The specific cases

usr/share/rear/lib/dump-workflow.sh:
            LogUserOutput "$( declare -p $variable_name ...
            LogUserOutput "$( declare -p $variable_name ...

are OK because the code is

    function output_variable_assignment () {
        local variable_name=$1
        test -v "$variable_name" || return 1
        ...
            LogUserOutput "$( declare -p $variable_name ...
            ...
            LogUserOutput "$( declare -p $variable_name ...

so '$variable_name' cannot be empty because test -v "" returns '1'.
Nevertheless in general regarding leaking secrets in
usr/share/rear/lib/dump-workflow.sh
see https://github.com/rear/rear/issues/3444

jsmeix commented at 2025-04-09 13:37:¶

With https://github.com/rear/rear/pull/3449 merged
the initially described specific bug in this issue

When there is a secret in an array
001_verify_config_arrays.sh leaks it.

should be (hopefully) sufficiently avoided.

The generic part

All 'declare -p' code places in ReaR need thorough investigation
plus generic means to not leak secrets - also not by accident

is not yet done so I keep this issue open
as a further enhancement task.

---

[Export of Github issue for rear/rear.]