borgmatic-collective/borgmatic
borgmatic-collective/borgmatic
10
65
Fork 26
Code Issues 41 Pull Requests 4 Actions Packages Releases 140 Activity

MongoDB Password leaked to Log #848

New Issue
Closed
opened 2024-04-11 06:41:11 +00:00 by marcohald · 3 comments
marcohald commented 2024-04-11 06:41:11 +00:00
Copy Link

What I'm trying to do and why

when configuring the mongodb Backup like this:

mongodb_databases:
    - name: test
      hostname: 127.0.0.1
      port: 27018
      username: mongoadmin
      password: test
      authentication_database: admin

The Password is logged in cleartext

Steps to reproduce

No response

Actual behavior

DEBUG mongodump --host 127.0.0.1 --port 27018 --username mongoadmin --password test --authenticationDatabase admin --db test --archive

Expected behavior

Password should be not logged

Other notes / implementation ideas

maybe like in this answer https://stackoverflow.com/a/63568946/10966928
store the pw in a tempfile and pipe it to mongodump

borgmatic version

1.8.2

borgmatic installation method

Debian package

Borg version

No response

Python version

No response

Database version (if applicable)

No response

Operating system and version

No response

### What I'm trying to do and why when configuring the mongodb Backup like this: ``` mongodb_databases: - name: test hostname: 127.0.0.1 port: 27018 username: mongoadmin password: test authentication_database: admin ``` The Password is logged in cleartext ### Steps to reproduce _No response_ ### Actual behavior DEBUG mongodump --host 127.0.0.1 --port 27018 --username mongoadmin --password test --authenticationDatabase admin --db test --archive ### Expected behavior Password should be not logged ### Other notes / implementation ideas maybe like in this answer https://stackoverflow.com/a/63568946/10966928 store the pw in a tempfile and pipe it to mongodump ### borgmatic version 1.8.2 ### borgmatic installation method Debian package ### Borg version _No response_ ### Python version _No response_ ### Database version (if applicable) _No response_ ### Operating system and version _No response_
witten commented 2024-04-11 14:52:24 +00:00
Owner
Copy Link

Thanks for taking the time to file this! Avoiding the logging of the password makes sense to me, and I like the idea of passing it to mongodump via file instead of command-line. Other borgmatic database hooks pass passwords via environment variable, but that doesn't seem to be an option here.

Thanks for taking the time to file this! Avoiding the logging of the password makes sense to me, and I like the idea of passing it to `mongodump` via file instead of command-line. Other borgmatic database hooks pass passwords via environment variable, but that doesn't seem to be an option here.
witten added the
good first issue
security
 labels 2024-04-11 14:53:00 +00:00
witten commented 2024-04-16 17:21:45 +00:00
Owner
Copy Link

I couldn't get the temporary password file working, so I ended up just masking the command-line password value as it's logged. Implemented in main and soon to be released.

Thanks again!

I couldn't get the temporary password file working, so I ended up just masking the command-line password value as it's logged. Implemented in main and soon to be released. Thanks again!
witten commented 2024-04-16 17:45:30 +00:00
Owner
Copy Link

Released in 1.8.10!

Released in 1.8.10!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
blocked
bug
data loss
design finalized
good first issue
new feature area
question / support
security
waiting for response
No Label
good first issue
security
Milestone
No items
No Milestone
Assignees
Clear assignees
diivi import_bot witten
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: borgmatic-collective/borgmatic#848
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?