jitsi-videobridge icon indicating copy to clipboard operation
jitsi-videobridge copied to clipboard

Published 20 hours ago verified publisher icon jitsi

Secret readable in process table

Open paulmenzel opened this issue 4 years ago • 5 comments

Passing the secret using the switch --secret is insecure, as every local user can read it running ps aux.

paulmenzel avatar Mar 23 '20 14:03 paulmenzel

I guess one solution would be, that the application itself is extended to parse the config file or read environment variables instead of using switches.

paulmenzel avatar Mar 23 '20 15:03 paulmenzel

I guess one solution would be, that the application itself is extended to parse the config file or read environment variables instead of using switches.

We've actually got this change already mostly implemented in JVB 2.

bbaldino avatar Mar 23 '20 15:03 bbaldino

The change, that jvb reads the configuration file itself?

paulmenzel avatar Mar 23 '20 15:03 paulmenzel

Well, even JVB 1 does read a config file itself (sip-communicator.properties). I don't know the reason why these were passed as switches instead of the config (perhaps easier for deployment), but this is for XMPP component mode of the JVB, right? That's technically deprecated at this point anyway (or maybe I'm misremembering what this switch is for).

bbaldino avatar Mar 23 '20 15:03 bbaldino

secret is for component connection which is already deprecated and new packages does not default to it.

damencho avatar Mar 24 '20 03:03 damencho