Page MenuHomeVyOS Platform
Create Task
Maniphest T7420

Pass credentials to download commands in environment variables
Closed, ResolvedPublic
Actions

Description

At the moment, we pass usernames and passwords in inline environment variables embedded in shell commands, like in https://github.com/vyos/vyos-1x/blob/current/src/op_mode/image_installer.py#L576

That approach has some security implications. Since credentials are a part of the command, they are visible in the process list, and can potentially leak into tech supports reports and the like when the stars are right those files are generated exactly at the moment when a download script is running. Not very likely, but not impossible.

Passing them in process environment variables is much safer in that regard.

Details

Version
-
Is it a breaking change?
Perfectly compatible
Issue type
Internal change (not visible to end users)

Related Objects

Event Timeline

dmbaturin created this task.Apr 30 2025, 1:50 PM
dmbaturin triaged this task as Normal priority.
dmbaturin added projects: VyOS 1.5 Circinus, VyOS 1.4 Sagitta (1.4.3).
dmbaturin added a comment.Apr 30 2025, 2:52 PM

PR: https://github.com/vyos/vyos-1x/pull/4489

pasik subscribed.May 1 2025, 7:59 AM
dmbaturin mentioned this in rVYOSONEX161eda9aeacb: installer: T7420: pass image download credentials in environment variables.May 1 2025, 2:24 PM
Restricted Repository Identity mentioned this in rVYOSONEXbcbecf52df2b: Merge pull request #4489 from dmbaturin/T7420-download-credentials.May 1 2025, 2:24 PM
dmbaturin edited projects, added VyOS 1.5 Circinus (1.5-stream-2025-Q2); removed VyOS 1.5 Circinus.May 28 2025, 9:15 PM
dmbaturin moved this task from Open to Finished on the VyOS 1.5 Circinus (1.5-stream-2025-Q2) board.
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.4); removed VyOS 1.4 Sagitta (1.4.3).Jul 14 2025, 2:03 PM
Viacheslav closed this task as Resolved.Sep 25 2025, 1:47 AM
Viacheslav moved this task from Backlog to Finished on the VyOS 1.4 Sagitta (1.4.4) board.
Viacheslav moved this task from Need Triage to Completed on the VyOS Rolling board.
dmbaturin edited projects, added VyOS 1.5 Circinus (2025.11); removed VyOS 1.4 Sagitta (1.4.4), VyOS 1.5 Circinus (1.5-stream-2025-Q2), VyOS Rolling.Thu, Nov 13, 2:41 AM