-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
login: warn about --password on command line #218
Conversation
Codecov Report
@@ Coverage Diff @@
## master #218 +/- ##
==========================================
+ Coverage 46.83% 46.84% +<.01%
==========================================
Files 172 172
Lines 11692 11692
==========================================
+ Hits 5476 5477 +1
+ Misses 5904 5903 -1
Partials 312 312 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Needs a rebase. |
fa92e4d
to
92c3ecf
Compare
Done, looks like the previous merge broke the build, so I fixed that too, let me know if my fix is wrong; I don't know anything about this code :) |
Hmm. And it seems the linter is complaining about this... but if we try it the way it was (the way the linter is suggesting), it doesn't compile. |
It builds (at least on go 1.8.3) but the linter crashes. |
cli/command/registry/login.go
Outdated
@@ -47,6 +51,34 @@ func runLogin(dockerCli command.Cli, opts loginOptions) error { | |||
ctx := context.Background() | |||
clnt := dockerCli.Client() | |||
|
|||
if opts.password != "" { | |||
fmt.Fprintf(os.Stderr, "Using --password via the CLI is insecure. Please use --password-file.\n") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
os.Stderr
should be dockerCli.Err()
cli/command/registry/login.go
Outdated
fmt.Fprintf(os.Stderr, "Using --password via the CLI is insecure. Please use --password-file.\n") | ||
} | ||
|
||
if opts.passwordFile != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should also support reading from stdin if passwordFile == "-"
. There is code to handle that from an arg in other commands. I'm not sure if we have a function for it yet, or if maybe we could extract one.
Other places this is done are docker build
, docker import
, docker secret create
cli/command/registry/login.go
Outdated
* conforms to the principle of least surprise, but I could be | ||
* wrong :) | ||
*/ | ||
if contents[len(contents)-1] == '\n' { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Anytime I have a long comment like this I think it's a good idea to split it into a new function. That way the comment can serve as a docstring on the function instead of cluttering up the logic within a function. Even if the function is only 3 lines, that's fine.
Maybe something like normalizePasswordFileContent()
?
I'm looking into the other 2 linter errors. I don't see them failing on master. |
Linter errors are fixed in #221 if you want to rebase on that commit (or just wait until it gets merged). There's some explanation of the problem as well. |
On Tue, Jun 20, 2017 at 9:40 PM, Daniel Nephin ***@***.***> wrote:
but if we try it the way it was (the way the linter is suggesting), it
doesn't compile.
It does compile, CI was green. Are you building outside of a container
with an older version of GO maybe?
I'm just typing "make" :). My host go version is 1.7.4.
… —
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#218 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAv612gVBfkO3vY_T-GdtvVU4OzGvozOks5sGJDCgaJpZM4OAS0D>
.
|
You can use |
92c3ecf
to
a7264ac
Compare
Thanks; seems that still didn't work for me (it didn't use the current version, where there was an obvious syntax error, but instead compiled successfully). Anyway, I dropped that commit and addressed all your feed back. I'm happy to rebase once #221 goes in, just ping me. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One minor comment about the comment, otherwise looks good.
Thanks!
cli/command/registry/login.go
Outdated
* For users that do have a \n as the last character of their password, they | ||
* need to store it as \n\n. I think this conforms to the principle of least | ||
* surprise, but I could be wrong :) | ||
*/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe the go convention is to use //
single line comments for everything instead of /* ... */
a7264ac
to
c754a2d
Compare
Fixed, thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
c754a2d
to
7677b98
Compare
I've just rebased this now that #221 is merged, so this should be good to go as well. |
@vdemeester big improvement on the discussion we had. I'll open an issue to make sure that users simply don't provide passwords on the commandline, either stdin or from file |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR, two comments/questions :
- Not a huge fan of
-f
short flag, doesn't tell me it's for password, user or both.-pf
or no short flag - We should make those mutually exclusive (or warn that password file
--password-file
override--password
)
(cc @thaJeztah)
This isn't safe, since every commands arguments are available via /proc/<pid>/cmdline. Let's print a nasty warning and then add a --password-file option, so people can use a password file instead if they want automated access. Signed-off-by: Tycho Andersen <tycho@tycho.ws>
7677b98
to
ea37ec4
Compare
The CLI library doesn't seem to like -pf:
so I've just dropped the short flag for now, and made them mutually exclusive. |
Looks like I'm a bit late to the party; I'm 👍 on a big red warning when using Having a password file means: hey! you should store your password in a plain-text file on your machine! I don't think we should promote this What if, instead, we allow the password to be piped in? Looks like it's currently not supported; # or whatever means to pipe the password
$ echo $SECRET | docker login -u myname
Error: Cannot perform an interactive login from a non TTY device |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you split the "password file" and "warning" parts to two separate PR's? I think they need separate discussions
please dont just have --password-file options but also have environment variables like DOCKER_ServerURL, DOCKER_Username and DOCKER_Secret. This can help in atomating the docker login process. |
Putting secrets in environment variables is just as unsafe as putting them in the command line (the task's initial environment is available via /proc/pid/environ). There are some other ways this leaks too: https://diogomonica.com/2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/ So the patches will only support taking passwords via stdin. |
This isn't safe, since every commands arguments are available via
/proc//cmdline.
Let's print a nasty warning and then add a --password-file option, so
people can use a password file instead if they want automated access.
Signed-off-by: Tycho Andersen tycho@tycho.ws