-
Notifications
You must be signed in to change notification settings - Fork 143
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cifs credentials appear in process table #1828
Comments
@freedge
if you use
|
the process table is readable by any user (in the pid namespace) while a file benefits from user permissions and is not recorded by auditing tools. Here it should probably be a file in memory under /run or a pipe file descriptor, created for the duration of the mount call. Or passed through stdin as an alternative. (some guidelines https://clig.dev/#arguments-and-flags) |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
What happened:
the cifs credentials are given as mount process arguments, so they appear in the process table and are recorded by auditing tools
azurefile-csi-driver/pkg/azurefile/nodeserver.go
Lines 317 to 318 in 54a024d
the documentation this refers too is also wrong.
What you expected to happen:
no password appearing in the process table, use
-o credentials=
insteadHow to reproduce it:
Anything else we need to know?:
this is what stackrox finds
Environment:
kubectl version
): v1.25.12 as bundled in OCP 4.12uname -a
):The text was updated successfully, but these errors were encountered: