While looking at puppet-openssl, I realized it uses OpenSSL's -passin/-passout options with "pass:" prefix, which leads to leakage of the password in the process list (and thus to all users of a system).
OpenSSL documentation [1] also states this is insecure.
I think we should either use a (properly secured) tempfile for this, or stdin.
% git grep pass:
lib/puppet/provider/x509_cert/openssl.rb: options << ['-passin', "pass:#{resource[:password]}"] if resource[:password]
lib/puppet/provider/x509_request/openssl.rb: options << ['-passin', "pass:#{resource[:password]}"] if resource[:password]
manifests/export/pem_cert.pp: default => "-nokeys -passin pass:'${in_pass}'",
manifests/export/pem_key.pp: default => "-passin pass:'${in_pass}'",
manifests/export/pem_key.pp: default => "-passout pass:'${out_pass}'",
manifests/export/pkcs12.pp: default => "-passin pass:${in_pass}",
manifests/export/pkcs12.pp: default => "-passout pass:${out_pass}",
Local users can obtain cert passwords and thus take over the cert if they can access the keys (which they usually should not, hopefully).
evgeni Reporter
Summary
While looking at puppet-openssl, I realized it uses OpenSSL's -passin/-passout options with "pass:" prefix, which leads to leakage of the password in the process list (and thus to all users of a system).
OpenSSL documentation [1] also states this is insecure.
I think we should either use a (properly secured) tempfile for this, or stdin.
[1] https://www.openssl.org/docs/man3.3/man1/openssl-passphrase-options.html
Details
PoC
Watch
ps aux |grep passinwhile Puppet is running.Impact
Local users can obtain cert passwords and thus take over the cert if they can access the keys (which they usually should not, hopefully).