Conversation

Notices

1. Embed this notice
   dansup (dansup@mastodon.social)'s status on Thursday, 14-Mar-2024 19:52:50 JST dansup

   Adding the ability to edit S3 api key/secret credentials is sketchy and requires careful consideration.

   Before: fetch from cached .env variables

   After: fetch from redis cache, if fails fetch from db, if fails fetch from cached .env vars

   Now we need to store api keys in the database and hydrate the cache with the values, so I'm encrypting the db values and decrypting them in the redis cache.

   Few db columns need this level of security, but I think I got this right 🤔

   #pixelfed #security

   • Embed this notice
     dansup (dansup@mastodon.social)'s status on Thursday, 14-Mar-2024 20:09:42 JST dansup

     in reply to

     • 🌈 BarbaPulpe 😇 ᴹᵃˢᵗᵒᵈᵒⁿ

     @barbapulpe The redis value is unencrypted but it is masked when displayed on the admin dashboard

   • Embed this notice
     🌈 BarbaPulpe 😇 ᴹᵃˢᵗᵒᵈᵒⁿ (barbapulpe@gayfr.social)'s status on Thursday, 14-Mar-2024 20:09:44 JST 🌈 BarbaPulpe 😇 ᴹᵃˢᵗᵒᵈᵒⁿ

     in reply to

     @dansup
     Even the S3 portal UI will only show you the secret once (on creation of the API key). Compromising that key leaves all your files open to leakage or deletion, so I'm very cautious in storing it in a redis cache unencrypted.

   • Embed this notice
     🌈 BarbaPulpe 😇 ᴹᵃˢᵗᵒᵈᵒⁿ (barbapulpe@gayfr.social)'s status on Thursday, 14-Mar-2024 20:09:45 JST 🌈 BarbaPulpe 😇 ᴹᵃˢᵗᵒᵈᵒⁿ

     in reply to

     @dansup
     Do we actually need the ability to edit S3 keys? This is a very rare task and multiplying the key storage to several locations does not seem good for security, to enable a task which does not require to be done from the UI in my opinion.

   • Embed this notice
     dansup (dansup@mastodon.social)'s status on Thursday, 14-Mar-2024 20:10:37 JST dansup

     in reply to

     • Andy

     @pixel they are encrypted at rest, the reason we need to support database storage is for the admin dashboard.

     On the flip side, you will have the ability to disable the admin dashboard settings entirely via env and force env only usage!

   • Embed this notice
     Andy (pixel@desu.social)'s status on Thursday, 14-Mar-2024 20:10:39 JST Andy

     in reply to

     @dansup you should have stopped after the first line.

     just having storage credentials in ENV is enough, they never really need to be in the database.

   • Embed this notice
     dansup (dansup@mastodon.social)'s status on Thursday, 14-Mar-2024 20:11:44 JST dansup

     in reply to

     • 🌈 BarbaPulpe 😇 ᴹᵃˢᵗᵒᵈᵒⁿ

     @barbapulpe I'll leave that up to each admin to decide, you will have the ability to disable this entirely if you choose and just use ENV vars

   • Embed this notice
     dansup (dansup@mastodon.social)'s status on Thursday, 14-Mar-2024 20:14:25 JST dansup

     in reply to

     • 🌈 BarbaPulpe 😇 ᴹᵃˢᵗᵒᵈᵒⁿ

     @barbapulpe well considering you can also call these config values from the env, if an exploit is possible then there are bigger issues tbh

   • Embed this notice
     🌈 BarbaPulpe 😇 ᴹᵃˢᵗᵒᵈᵒⁿ (barbapulpe@gayfr.social)'s status on Thursday, 14-Mar-2024 20:14:26 JST 🌈 BarbaPulpe 😇 ᴹᵃˢᵗᵒᵈᵒⁿ

     in reply to

     @dansup
     I'm more worried about an exploit on a user (pixel, www-data) which is in the redis group.