#3449 PR `merged`: Avoid that 001_verify_config_arrays.sh leaks secrets¶

Labels: bug, fixed / solved / done

jsmeix opened issue at 2025-04-07 13:48:¶

Type: Bug Fix
Impact: High
Reference to related issue (URL):
https://github.com/rear/rear/issues/3443
How was this pull request tested?

As in
https://github.com/rear/rear/issues/3443#issue-2969329614
I have in default.conf

{ MY_PASSWORDS=( my_default_password ) ; } 2>>/dev/$SECRET_OUTPUT_DEV

and in the bash where I later run 'rear -D help' I did

# MY_PASSWORDS=( my_dummy_password )

Then (with the changes in this pull request) I get:

# usr/sbin/rear -D help
...

# egrep ' Including |my_.*_password' var/log/rear/rear-localhost.log.lockless
...
2025-04-07 15:39:55.021382207 Including init/default/001_verify_config_arrays.sh
2025-04-07 15:39:55.663217781 Including init/default/002_check_rear_recover_mode.sh
...

# usr/sbin/rear -e -D help
...

# egrep ' Including |my_.*_password' var/log/rear/rear-localhost.log.lockless
...
2025-04-07 15:41:19.796992543 Including init/default/001_verify_config_arrays.sh
2025-04-07 15:41:20.415675839 Including init/default/002_check_rear_recover_mode.sh

When I have in local.conf

{ MY_PASSWORDS=( my_actual_password ) ; } 2>>/dev/$SECRET_OUTPUT_DEV

I get

# usr/sbin/rear -D help
...

# egrep ' Including |my_.*_password' var/log/rear/rear-localhost.log.lockless
...
2025-04-07 15:42:59.100357881 Including init/default/001_verify_config_arrays.sh
2025-04-07 15:42:59.729373461 Including init/default/002_check_rear_recover_mode.sh
...

# usr/sbin/rear -e -D help
...

# egrep ' Including |my_.*_password' var/log/rear/rear-localhost.log.lockless
...
2025-04-07 15:43:33.114877986 Including init/default/001_verify_config_arrays.sh
++ [[ { MY_PASSWORDS=( my_actual_password ) ; } 2>>/dev/$SECRET_OUTPUT_DEV == *MY_PASSWORDS?(+)=\(* ]]
2025-04-07 15:43:33.743125157 Including init/default/002_check_rear_recover_mode.sh

When I have in local.conf

{ MY_PASSWORDS='my_actual_password' ; } 2>>/dev/$SECRET_OUTPUT_DEV

I get

# usr/sbin/rear -D help
...
ERROR: Syntax error: Variable MY_PASSWORDS not assigned as Bash array in /root/rear.github.master/etc/rear/local.conf
...

# egrep ' Including |my_.*_password' var/log/rear/rear-localhost.log.lockless
...
2025-04-07 15:45:17.094986107 Including init/default/001_verify_config_arrays.sh

# usr/sbin/rear -e -D help
...
ERROR: Syntax error: Variable MY_PASSWORDS not assigned as Bash array in /root/rear.github.master/etc/rear/local.conf:
  { MY_PASSWORDS='my_actual_password' ; } 2>>/dev/$SECRET_OUTPUT_DEV
...

# egrep ' Including |my_.*_password' var/log/rear/rear-localhost.log.lockless
...
2025-04-07 15:46:22.129633799 Including init/default/001_verify_config_arrays.sh
++ [[ { MY_PASSWORDS='my_actual_password' ; } 2>>/dev/$SECRET_OUTPUT_DEV == *MY_PASSWORDS?(+)=\(* ]]
  { MY_PASSWORDS='\''my_actual_password'\'' ; } 2>>/dev/$SECRET_OUTPUT_DEV
  { MY_PASSWORDS='\''my_actual_password'\'' ; } 2>>/dev/$SECRET_OUTPUT_DEV
  { MY_PASSWORDS='\''my_actual_password'\'' ; } 2>>/dev/$SECRET_OUTPUT_DEV
                                { MY_PASSWORDS='my_actual_password' ; } 2>>/dev/$SECRET_OUTPUT_DEV
  { MY_PASSWORDS='\''my_actual_password'\'' ; } 2>>/dev/$SECRET_OUTPUT_DEV

Description of the changes in this pull request:

In init/default/001_verify_config_arrays.sh
avoid that using $line could leak secrets
into the ReaR log file in dbugscript mode
by using $line within

{ ... } 2>>/dev/$SECRET_OUTPUT_DEV

jsmeix commented at 2025-04-08 12:40:¶

Sigh!

My current means against leaking out secrets by using

{ ...
  ...
} 2>>/dev/$SECRET_OUTPUT_DEV

around code that deals with secret values
is still generically insufficient because

# usr/sbin/rear -e -D help
...
ERROR: Syntax error: Variable MY_PASSWORDS not assigned as Bash array in /root/rear.github.master/etc/rear/local.conf:
  { MY_PASSWORDS='my_actual_password' ; } 2>>/dev/$SECRET_OUTPUT_DEV
...

shows in var/log/rear/rear-localhost.log.lockless

++ Error 'Syntax error: Variable MY_PASSWORDS not assigned as Bash array in /root/rear.github.master/etc/rear/local.conf:
  { MY_PASSWORDS='\''my_actual_password'\'' ; } 2>>/dev/$SECRET_OUTPUT_DEV
'
...
++ LogToSyslog 'ERROR: Syntax error: Variable MY_PASSWORDS not assigned as Bash array in /root/rear.github.master/etc/rear/local.conf:
  { MY_PASSWORDS='\''my_actual_password'\'' ; } 2>>/dev/$SECRET_OUTPUT_DEV
'

where that LogToSyslog call outputs on "syslog" via logger
(in my case logger outputs to /var/log/messages)

2025-04-08T14:13:00.722245+02:00 localhost rear[924]: ERROR: Syntax error: Variable MY_PASSWORDS not assigned as Bash array in /root/rear.github.master/etc/rear/local.conf:#012  { MY_PASSWORDS='my_actual_password' ; } 2>>/dev/$SECRET_OUTPUT_DEV

so the secret value 'my_actual_password' appears in "syslog".

At least in my case on openSUSE Leap 15.6

# ls -l /var/log/messages
-rw-r----- 1 root root 196790 Apr  8 14:13 /var/log/messages

/var/log/messages can only be read by user and group 'root'
so technically it is OK to have secret value therein
BUT
from a more generic security and privacy perspective
it is not OK to have secret values in a file
when that is not really needed.

In this specific case here the information of the secret value
is is not needed in /var/log/messages to help the user
to understand what that error is (and/or was) about
so the simpler error message

ERROR: Syntax error: Variable MY_PASSWORDS not assigned as Bash array in /root/rear.github.master/etc/rear/local.conf

is sufficient.

Where 'LogToSyslog' is called in ReaR:

# find usr/sbin/rear usr/share/rear/ -type f | xargs grep 'LogToSyslog'

usr/sbin/rear:
        LogToSyslog "$PROGRAM $WORKFLOW finished with zero exit code"
            LogToSyslog "$PROGRAM checklayout finished with exit code 1 (layout or config changed)"
            LogToSyslog "$PROGRAM $WORKFLOW failed with exit code $EXIT_CODE"

usr/share/rear/lib/_framework-setup-and-functions.sh:
function LogToSyslog () {
    LogToSyslog "ERROR: $*"

The last one in _framework-setup-and-functions.sh is
within the 'Error' function.

So the 'Error' function should not be used with secret values
because it outputs those secret values to "syslog".

The usage description of the LogSecret function in
lib/_framework-setup-and-functions.sh
shows a way how to correctly implement things:

if { COMMAND $SECRET_ARGUMENT ; } 2>>/dev/$SECRET_OUTPUT_DEV ; then
    { LogSecret "'COMMAND $SECRET_ARGUMENT' succeeded" || Log "COMMAND succeeded" ; } 2>>/dev/$SECRET_OUTPUT_DEV
else
    { LogSecret "'COMMAND $SECRET_ARGUMENT' failed with exit code $?" ; } 2>>/dev/$SECRET_OUTPUT_DEV
    Error "COMMAND failed"
fi

In particular the 'Error' function is called
with a message which does not contain secrets.

jsmeix commented at 2025-04-08 13:23:¶

With my latest change
https://github.com/rear/rear/pull/3449/commits/20a4829361e143c6fdd27e0d12fa0fbe7a31b77e
I get

# usr/sbin/rear -D help
...
ERROR: Syntax error: Variable MY_PASSWORDS not assigned as Bash array in /root/rear.github.master/etc/rear/local.conf
Some latest log messages since the last called script 001_verify_config_arrays.sh:
  2025-04-08 15:21:02.635111998 Entering debugscript mode via 'set -x'.
  2025-04-08 15:21:02.646850888 Trusted sourcing '/root/rear.github.master/usr/share/rear/init/default/001_verify_config_arrays.sh'

# tail -n1 /var/log/messages
2025-04-08T15:21:02.991081+02:00 localhost rear[9057]: ERROR: Syntax error: Variable MY_PASSWORDS not assigned as Bash array in /root/rear.github.master/etc/rear/local.conf

versus

# usr/sbin/rear -e -D help
...
ERROR: Syntax error: Variable MY_PASSWORDS not assigned as Bash array in /root/rear.github.master/etc/rear/local.conf
Some latest log messages since the last called script 001_verify_config_arrays.sh:
  2025-04-08 15:22:40.377687207 Entering debugscript mode via 'set -x'.
  2025-04-08 15:22:40.389373247 Trusted sourcing '/root/rear.github.master/usr/share/rear/init/default/001_verify_config_arrays.sh'
  2025-04-08 15:22:40.733326371 /root/rear.github.master/etc/rear/local.conf : MY_PASSWORDS not assigned as array : { MY_PASSWORDS='my_actual_password' ; } 2>>/dev/$SECRET_OUTPUT_DEV
...

# tail -n1 /var/log/messages
2025-04-08T15:22:40.753477+02:00 localhost rear[9952]: ERROR: Syntax error: Variable MY_PASSWORDS not assigned as Bash array in /root/rear.github.master/etc/rear/local.conf

jsmeix commented at 2025-04-08 14:16:¶

@rear/contributors
I would like to merge it tomorrow afternoon
provided there are no severe objections.

All changes here are ReaR internal so we can further adapt
and enhance things as needed at any time later as we like.

[Export of Github issue for rear/rear.]

#3449 PR merged: Avoid that 001_verify_config_arrays.sh leaks secrets¶

jsmeix opened issue at 2025-04-07 13:48:¶

jsmeix commented at 2025-04-08 12:40:¶

jsmeix commented at 2025-04-08 13:23:¶

jsmeix commented at 2025-04-08 14:16:¶

#3449 PR `merged`: Avoid that 001_verify_config_arrays.sh leaks secrets¶