Project

General

Profile

Bug #2109

session_token should not be static

Added by Sandor Szücs about 10 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Immediate
Assignee:
Category:
Users, Roles and Permissions
Target version:
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

The session token of rails app should not be public available and static for all installations.

http://biggestfool.tumblr.com/post/24049554541/reminder-secret-token-rb-is-named-so-for-a-reason

Solution:
Generate the session token using SecureRandom, maybe as Rake Task, and add it to the installation and upgrade guides.
if RUBY_VERSION >= 1.9
require 'securerandom'
SecureRandom.urlsafe_base64(64)[0..63]
#=> "sZT3OdJVpHeIdbH5O8YLflOBXJbOv2ZY76GqsN1Clg1c1aiOzcMFZzKrRfUtJDTS"
else
...
end

security.rake security.rake 1.22 KB put it into lib/tasks/ Sandor Szücs, 01/05/2013 08:05 AM

Associated revisions

Revision adfcf8f0 (diff)
Added by Dominic Cleal about 10 years ago

fixes #2109 - improve session token security

- adds security:generate token rake task to create static token
- generate and cache a token on startup if static token isn't present

Thanks to Sandor Szücs <>

Revision 669affd3 (diff)
Added by Dominic Cleal about 10 years ago

refs #2109 - generate secret token for cookies signing after install

Revision a0f490df
Added by Dominic Cleal about 10 years ago

refs #2109 - generate secret token for cookies signing after install

Revision d775da09
Added by Sam Kottler about 10 years ago

Merge remote branch 'upstream/master' into rc_changes

  • upstream/master:
    Further transition testing
    refs #2109 - generate secret token for cookies signing after install

Revision e2a34005 (diff)
Added by Dominic Cleal about 10 years ago

refs #2109 - generate secret token for cookies signing after install

Revision a6dd55c2 (diff)
Added by Dominic Cleal about 10 years ago

refs #2109 - restrict secret token to root:foreman

Revision a9f06590 (diff)
Added by Dominic Cleal about 10 years ago

refs #2109 - restrict secret token to root:foreman, move before service start

History

#2 Updated by Sandor Szücs about 10 years ago

Ohad Levy wrote:

also, some more background http://blog.phusion.nl/2013/01/04/securing-the-rails-session-secret/

I don't think that this: hash("#{machine_uuid}-#{hostname}-#{app_name}")
is good enough. If there are users with an operator role which have ssh access to look into logs or do some cleanup tasks that are not administrators in foreman webapp, then we have privilege escalation here. Hostname and app_name are known and uuid can be read with ssh access from a machine....
Anyway nice read, Ohad.

Greets Sandor

#3 Updated by Dominic Cleal about 10 years ago

I like the rake task idea. To make it usable without running the task, we could comment out or delete secret_token.rb, then add an initializer after that generates + stores a key in tmp/ if the token's unset. People are then able to generate a static one with the rake task if they need it, which overrides the temporary secret.

#4 Updated by Dominic Cleal about 10 years ago

  • Status changed from New to Ready For Testing

Implemented the above, kept the rake task: https://github.com/theforeman/foreman/pull/353

Katello generates a secret during RPM installation too, we could do the same in our package post installs by running the rake task.

#5 Updated by Sandor Szücs about 10 years ago

Dominic Cleal wrote:

Implemented the above, kept the rake task: https://github.com/theforeman/foreman/pull/353

Katello generates a secret during RPM installation too, we could do the same in our package post installs by running the rake task.

It's not a good idea to use activesupport's SecureRandom, because they removed it: https://github.com/rails/rails/commit/1170cceaaec8c0c8aef173913405be1456e4b2be#activesupport/lib/active_support

#6 Updated by Dominic Cleal about 10 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#7 Updated by Ohad Levy about 10 years ago

  • Assignee set to Dominic Cleal
  • Target version set to 1.1

Also available in: Atom PDF