nebula icon indicating copy to clipboard operation
nebula copied to clipboard
verified publisher icon vesoft-inc

When the nebula-console software is used, the plaintext password is leaked by running the `ps -ef` command

Open cccxgit opened this issue 1 year ago • 4 comments

In the startup script of the storaged service container, the nebula-console software is used to perform the add host operation. Also, when I developed the k8s probe, I also used the nebula-console software to check the node serviceability and status.

This has the risk of compromising plaintext password security. When you run the ps -ef command to view the process information, the plaintext password is displayed.

UID        PID  PPID    C STIME  TTY     TIME      CMD
root    33235 32818  0 21:58   pts/1    00:00:00 nebula-console --addr infinitygraph-graphd-headless --port 8888 -u root -p xxxxxxx

cccxgit avatar Apr 28 '24 15:04 cccxgit

We will optimize the plaintext display issue and make the modifications in the latest version.

QingZ11 avatar Apr 29 '24 08:04 QingZ11

Thanks, for your reply When will the plaintext password issue be resolved? Also, which repository will be modified: nebula-console or nebula?

cccxgit avatar Apr 29 '24 10:04 cccxgit

nebula-console support it now https://github.com/vesoft-inc/nebula-console/pull/239, operator will support in release 1.8.1 recently

MegaByte875 avatar Apr 30 '24 04:04 MegaByte875

Thanks, for your reply. Your support has helped us a lot.

I still have some questions and requests for help:

  1. I found that the code for this issue has been submitted in the master repository of nebula-console. Is there a compiled binary available for testing?
  2. The latest release of nebula-console is 3.6 (this issue is not resolved). Is it possible to incorporate the code of this problem into the V3.6 version? Because we're currently blocked by this security issue.

cccxgit avatar May 06 '24 02:05 cccxgit