#3496 PR merged: Get explicit user confirmation in opaladmin-workflow.sh¶
Labels: bug, fixed / solved / done
jsmeix opened issue at 2025-07-15 13:10:¶
- Type: Bug Mitigation
Mitigate https://github.com/rear/rear/issues/3486
for now until at some later time the OPAL related code
became properly secured against leaking out secrets
by a contributor who actually uses a TCG Opal disk.
-
Impact: Normal
-
Reference to related issue (URL):
https://github.com/rear/rear/issues/3486#issuecomment-3073334020 -
How was this pull request tested?
see below
https://github.com/rear/rear/pull/3496#issuecomment-3073553814 -
Description of the changes in this pull request:
In lib/opaladmin-workflow.sh
get explicit user confirmation that
the user "knows what he does" via a true
OPAL_EXPOSE_SECRETS environment variable
for OPAL specific secrets or in general via
the '--expose-secrets' option for any secrets
or inform the user that secrets could leak out.
jsmeix commented at 2025-07-15 13:14:¶
How it behaves on my test VM
cf. https://github.com/rear/rear/issues/3486#issuecomment-3073298315
# usr/sbin/rear -d opaladmin changePW /dev/vdb
...
Running 'init' stage ======================
Running workflow opaladmin on the normal/original system
Workflow 'opaladmin' could leak out secrets:
E.g. the TCG Opal password could leak out into the ReaR log file.
In particular in debugscript mode ('-D') secrets will leak out.
You may export the environment variable OPAL_EXPOSE_SECRETS='yes'
to confirm that you know how to keep your system secure on your own.
ERROR: Won't run 'opaladmin' (OPAL_EXPOSE_SECRETS not true or no '--expose-secrets')
# usr/sbin/rear -D opaladmin changePW /dev/vdb
...
Running 'init' stage ======================
Running workflow opaladmin on the normal/original system
Workflow 'opaladmin' will leak out secrets:
E.g. the TCG Opal password leaks out into the ReaR log file.
In particular in debugscript mode ('-D') secrets will leak out.
You may export the environment variable OPAL_EXPOSE_SECRETS='yes'
to confirm that you know how to keep your system secure on your own.
ERROR: Won't run 'opaladmin' (OPAL_EXPOSE_SECRETS not true or no '--expose-secrets')
# usr/sbin/rear -e -D opaladmin changePW /dev/vdb
...
Running 'init' stage ======================
Running workflow opaladmin on the normal/original system
Dumped all variable values (including possibly confidential values) into /root/rear.github.master/var/log/rear/rear-localhost.log
UserInput -I OPALADMIN_NEW_PASSWORD needed in /root/rear.github.master/usr/share/rear/lib/opal-functions.sh line 334
Enter new disk password:
# export OPAL_EXPOSE_SECRETS=yes
# usr/sbin/rear -D opaladmin changePW /dev/vdb
...
Running 'init' stage ======================
Running workflow opaladmin on the normal/original system
UserInput -I OPALADMIN_NEW_PASSWORD needed in /root/rear.github.master/usr/share/rear/lib/opal-functions.sh line 334
Enter new disk password:
jsmeix commented at 2025-07-16 08:42:¶
@rear/contributors
I would like to merge it tomorrow afternoon
unless there are severe objections.
[Export of Github issue for rear/rear.]