From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 1602 invoked by alias); 19 Nov 2019 16:13:42 -0000 Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: elfutils-devel-owner@sourceware.org Received: (qmail 1587 invoked by uid 89); 19 Nov 2019 16:13:42 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.100.3 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-6.5 required=5.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham version=3.3.1 spammy=defense, yours X-Spam-Status: No, score=-6.5 required=5.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on sourceware.org X-Spam-Level: X-HELO: gnu.wildebeest.org Received: from wildebeest.demon.nl (HELO gnu.wildebeest.org) (212.238.236.112) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 19 Nov 2019 16:13:41 +0000 Received: from tarox.wildebeest.org (tarox.wildebeest.org [172.31.17.39]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by gnu.wildebeest.org (Postfix) with ESMTPSA id 16D6B302BBFD; Tue, 19 Nov 2019 17:13:38 +0100 (CET) Received: by tarox.wildebeest.org (Postfix, from userid 1000) id B28B6413CEAA; Tue, 19 Nov 2019 17:13:38 +0100 (CET) Message-ID: Subject: Re: patch 5 debuginfod: prometheus metrics From: Mark Wielaard To: "Frank Ch. Eigler" Cc: elfutils-devel@sourceware.org, amerey@redhat.com Date: Tue, 19 Nov 2019 16:13:00 -0000 In-Reply-To: <20191118164750.GB2880@redhat.com> References: <20191028190438.GC14349@redhat.com> <20191028190602.GD14349@redhat.com> <20191028190726.GE14349@redhat.com> <20191104214823.GA17633@redhat.com> <20191107090732.GA19337@redhat.com> <20191107090833.GB19337@redhat.com> <20191115175757.GA15272@redhat.com> <20191118164750.GB2880@redhat.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Evolution 3.28.5 (3.28.5-5.el7) Mime-Version: 1.0 X-Spam-Flag: NO X-IsSubscribed: yes X-SW-Source: 2019-q4/txt/msg00181.txt.bz2 Hi, On Mon, 2019-11-18 at 11:47 -0500, Frank Ch. Eigler wrote: > > > > > +control. The \fI/metrics\fP webapi endpoint is probably not > > > > > +appropriate for disclosure to the public. > > > >=20 > > > > So, should there be an option to turn it off? > > >=20 > > > IMHO not necessary. The security section already advises against > > > exposing an unprotected debuginfod server to the public. A > > > front-end > > > reverse-proxy would easily filter requests to /metrics. > >=20 > > I think defense in depth is not a bad thing. > > You already have local users to which it is exposed. >=20 > Local users can already run "ps awux" to see the same semi-sensitive > command line arguments. I am not sure the existence of other side channel information leaks is reason to just allow more. Also there are system setups where you cannot see command line arguments through ps awux for processes that aren't yours (mount procfs with hidepid=3D1). I do see it is less information that I thought though. It really is just the directories given and the number of things found in them. I still would like an option to turn the metrics off, but I don't think it needs to be on by default since the information exposed doesn't seem to really be that sensitive. So lets just mark this as future wishlist. Cheers, Mark