Salt: [BUG] webutils write passwords in cleartext to /var/log/salt/minion

Created on 10 Dec 2020  路  2Comments  路  Source: saltstack/salt

Description
Managing an htpasswd file with salt's webutil module causes passwords to be logged to /var/log/salt/minion in clear text.

Setup

web_user:
  webutil.user_exists:
    - name: web_user
    - password: {{ password }}
    - htpasswd_file: /var/www/localhost/htpasswd  
    - update: true

Steps to Reproduce the behavior
Run highstate against machine which doesn't already have the htpasswd file created. Errors are reported but state is applied correctly. The error is in the change validation from what I can tell.

2020-12-09 23:30:54,176 [salt.loaded.int.module.cmdmod:841 ][ERROR   ][5444] Command '['htpasswd', '-bv', '/var/www/localhost/htpasswd', 'web_user', '<removed for security>']' failed with return code: 3
2020-12-09 23:30:54,177 [salt.loaded.int.module.cmdmod:845 ][ERROR   ][5444] stderr: password verification failed
2020-12-09 23:30:54,177 [salt.loaded.int.module.cmdmod:847 ][ERROR   ][5444] retcode: 3

Expected behavior
The state to be applied and the password verification not to report an error or if there is an exeception, mask sensitive data being reported in the error.

Versions Report

salt --versions-report

Minion and master running same version of salt.

salt --versions-report
Salt Version:
           Salt: 2019.2.7

Dependency Versions:
           cffi: Not Installed
       cherrypy: unknown
       dateutil: 2.7.3
      docker-py: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.10
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.5.6
   mysql-python: Not Installed
      pycparser: Not Installed
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 3.7.3 (default, Jul 25 2020, 13:03:44)
   python-gnupg: Not Installed
         PyYAML: 3.13
          PyZMQ: 17.1.2
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.5.3
            ZMQ: 4.3.1

System Versions:
           dist: debian 10.7 
         locale: UTF-8
        machine: x86_64
        release: 4.19.0-13-amd64
         system: Linux
        version: debian 10.7

Additional context
Package version of apache2-utils: apache2-utils-2.4.29-1ubuntu4.14.

Aluminium Bug phase-execute severity-critical status-in-prog
Source
picture nzlosh

Most helpful comment

This may warrant a CVE.

picture OrangeDog on 10 Dec 2020
👍2

All 2 comments

This may warrant a CVE.

OrangeDog picture OrangeDog on 10 Dec 2020
👍2

Yes, we are immediately looking into this. Thank you for the report.

sagetherage picture sagetherage on 11 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

twangboy picture twangboy  路  3Comments
saurabhnemade picture saurabhnemade  路  3Comments
sfozz picture sfozz  路  3Comments
qiushics picture qiushics  路  3Comments
erwindon picture erwindon  路  3Comments