opencloud icon indicating copy to clipboard operation
opencloud copied to clipboard
Published 3 weeks ago verified publisher icon opencloud-eu

Do not log password

Open windsource opened this issue 6 months ago • 3 comments

Describe the bug

When running opencloud init the password of the admin user is logged which is bad practise due to security implications.

Steps to reproduce

  1. Using the container opencloudeu/opencloud-rolling:2.3.0
  2. /etc/opencloud being empty
  3. Environment variable IDM_ADMIN_PASSWORD set to mypassword
  4. In the container run opencloud init

Expected behavior

The password is not logged.

Actual behavior

The log contains:

=========================================
  generated OpenCloud Config
=========================================
 configpath : /etc/opencloud/opencloud.yaml
 user       : admin
 password   : mypassword

Setup

Additional context

windsource avatar Jun 09 '25 11:06 windsource

@windsource I do not agree with your analysis.

We are creating a random password, if none is given. This is important, we should be always "Secure by default".

We need some method to inform the admin during the first startup of opencloud.

NOTE: This is only when using the internal IDM. Normal deployments are using external IDM.

micbar avatar Nov 12 '25 14:11 micbar

@micbar I get your point. But you can see in my example, that I provide a password via the environment variable IDM_ADMIN_PASSWORD. What about logging the password only when has been generated?

windsource avatar Nov 12 '25 15:11 windsource

@rhafer i am not sure if we can distinguish that case.

micbar avatar Nov 12 '25 16:11 micbar