From 5a8c75574e7db7ee5c7c91556ae661a346956c0f Mon Sep 17 00:00:00 2001 From: merlinz01 <158784988+merlinz01@users.noreply.github.com> Date: Tue, 23 Apr 2024 19:13:38 -0400 Subject: [PATCH 1/3] add example of using slots to populate env vars from pillar --- salt/states/cmd.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/salt/states/cmd.py b/salt/states/cmd.py index df0aec96ef8..f99db2562f1 100644 --- a/salt/states/cmd.py +++ b/salt/states/cmd.py @@ -229,6 +229,14 @@ To use it, one may pass it like this. Example: cmd.run: - env: {{ salt['pillar.get']('example:key', {}) }} +Better yet, use the slots feature to insert the data at runtime and minimize pillar data exposure: + +.. code-block:: yaml + + printenv: + cmd.run: + - env: __slot__:salt:pillar.get(example:key) + """ import copy From f310d513df520f8502b161694da0795d1d86112e Mon Sep 17 00:00:00 2001 From: merlinz01 <158784988+merlinz01@users.noreply.github.com> Date: Tue, 23 Apr 2024 19:36:19 -0400 Subject: [PATCH 2/3] add documentation about passing sensitive data to commands --- salt/states/cmd.py | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/salt/states/cmd.py b/salt/states/cmd.py index f99db2562f1..a159606663a 100644 --- a/salt/states/cmd.py +++ b/salt/states/cmd.py @@ -237,6 +237,31 @@ Better yet, use the slots feature to insert the data at runtime and minimize pil cmd.run: - env: __slot__:salt:pillar.get(example:key) +How do I pass sensitive data to a command? +------------------------------------------ + +Passing sensitive data to commands using command line arguments +or environment variables is a well-known security loophole and is not recommended. + +If your command can read from stdin, use the stdin option +in combination with the slots feature. Example: + +.. code-block:: yaml + + my-command --read-password-from-stdin: + cmd.run: + - stdin: __slot__:salt:pillar.get(example:secret) + +If your command can read from a file and is running on a Unix-ish system, +pass /dev/stdin as the file and feed the data to stdin. Example: + +.. code-block:: yaml + + step ca certificate server.example.com cert.pem key.pem --provisioner JWK --provisioner-password-file /dev/stdin: + cmd.run: + - stdin: __slot__:salt:pillar.get(server:provisioner_password) + +The use of the slots feature keeps minions who can render the state file from stealing the password. """ import copy From 6a788482cfb57bd29ca24ee4528c42084031954b Mon Sep 17 00:00:00 2001 From: merlinz01 <158784988+merlinz01@users.noreply.github.com> Date: Wed, 24 Apr 2024 13:57:29 -0400 Subject: [PATCH 3/3] note permission errors for /dev/stdin and possibility of using "-" for stdin --- salt/states/cmd.py | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/salt/states/cmd.py b/salt/states/cmd.py index a159606663a..e9fb2a2315f 100644 --- a/salt/states/cmd.py +++ b/salt/states/cmd.py @@ -248,10 +248,18 @@ in combination with the slots feature. Example: .. code-block:: yaml - my-command --read-password-from-stdin: + my-command --read-secret-from-stdin: cmd.run: - stdin: __slot__:salt:pillar.get(example:secret) +Some commands read from stdin when "-" is passed as an input file: + +.. code-block:: yaml + + gcc - -x c -o ./myprogram: + cmd.run: + - stdin: __slot__:salt:pillar.get(example:my_super_secret_c_code) + If your command can read from a file and is running on a Unix-ish system, pass /dev/stdin as the file and feed the data to stdin. Example: @@ -260,6 +268,10 @@ pass /dev/stdin as the file and feed the data to stdin. Example: step ca certificate server.example.com cert.pem key.pem --provisioner JWK --provisioner-password-file /dev/stdin: cmd.run: - stdin: __slot__:salt:pillar.get(server:provisioner_password) + - unless: step certificate needs-renewal cert.pem 2>&1 | grep "certificate does not need renewal" + +Note: The use of the runas option or sudo will cause permission errors when reading /dev/stdin. +If you need to run as a specific user the command will have to read from the usual internal stdin file descriptor. The use of the slots feature keeps minions who can render the state file from stealing the password. """