Adam Cameron
lucee-server/context/password.txt
. We're currently using a plain-text value here, which is a bit of a security shortcoming, and was wondering if one can provide the hash of the pwd instead of the clear-text one somehow?
Tangentially related, it's not uncommon for Docker images to support environment variables for this sort of thing (eg https://hub.docker.com/_/mysql, and scroll down to "Environment Variables"). The Lucee image page on Dockerhub doesn't mention anything like this, but wondering if there's anything that's just not documented..?
(NB: this is specifically a Lucee question, and nowt to do with how CommandBox might do its own thing even betterer)Evil Ware
06/30/2022, 1:51 PMthisOldDave
06/30/2022, 2:12 PMbdw429s
06/30/2022, 5:10 PMbdw429s
06/30/2022, 5:11 PMCFCONFIG_HSPW=<hashhere>
bdw429s
06/30/2022, 5:11 PMbdw429s
06/30/2022, 5:13 PMcfusion/lib/password.properties
file and sets the encrypted=false
flag which means it doesn't get encrypted until ACF starts the first time. So it's really not much different than Lucee's password.txt
approach outside of Lucee involving two different files.bdw429s
06/30/2022, 5:18 PMsed
pretty easily.bdw429s
06/30/2022, 5:18 PMAdam Cameron
bdw429s
06/30/2022, 5:27 PMbdw429s
06/30/2022, 5:27 PMencrypted:xxxx
formatEvil Ware
06/30/2022, 5:30 PMAdam Cameron
bdw429s
06/30/2022, 5:32 PMAdam Cameron
Evil Ware
06/30/2022, 5:35 PMbdw429s
06/30/2022, 5:35 PMtest
into the command prompt as my new password and here is the changes it made to my password.properties
file:
rdspassword=test
password=test
encrypted=false
thisOldDave
06/30/2022, 5:38 PMbdw429s
06/30/2022, 5:40 PMbdw429s
06/30/2022, 5:41 PMthisOldDave
06/30/2022, 5:44 PMthisOldDave
06/30/2022, 5:45 PMbdw429s
06/30/2022, 5:47 PM${}
system setting expansions that CommandBox/CFConfig does in JSON files can be extended by modules at runtime so you could conceivlablty do this
{
"someSetting": "${myVault.someKey}"
}
And then have a custom module that hit your special vault storage to resolve that key.bdw429s
06/30/2022, 5:47 PMbdw429s
06/30/2022, 5:49 PMthisOldDave
06/30/2022, 5:51 PMEvil Ware
06/30/2022, 6:00 PMcarehart
06/30/2022, 6:14 PMcarehart
06/30/2022, 6:19 PMbdw429s
06/30/2022, 6:20 PMcarehart
06/30/2022, 6:21 PMgavinbaumanis
07/01/2022, 12:03 AMthisOldDave
07/01/2022, 7:38 AMAdam Cameron
a left handed touch typistNow see that sounds like some sort on onanistic euphemism to me.
thisOldDave
07/01/2022, 2:02 PMbdw429s
07/01/2022, 3:36 PMstoring of a password as plain text, "somewhere on disk" for a period, however short... and that's not optimal.@gavinbaumanis If this were to happen only as part of the Docker build process, I wouldn't think it too serious. Ideally, you wouldn't leave the plain text passwords laying around your built docker images since it increases the likelihood of them being discovered. I have clients who prefer to not even leave the encrypted DS passwords inside their docker images. It really depends on what your comfort level is and how large of an infosec team is breathing down your neck. As far as the solutions, I think we covered and re-covered them above.
Evil Ware
07/01/2022, 3:38 PM