Bug #9430
closed
[SDKs] crunch-job leaks API tokens to the process list
Description
When you run crunch-job, it creates subprocesses that include the Arvados API token in the argv. For example, environment variables get converted to docker run --env options. Since ARVADOS_API_TOKEN is an environment variable, this gets included.
This is a security problem when people use crunch-job to run jobs on a local system, like a shell node. Other users on that system can grab the token out of the process list and use it to impersonate the user.
Updated by Tom Clegg almost 10 years ago
Related, but not exactly the same issue: Running a (regular non-local batch) job in a shared project can expose the per-job token, via the live logging facility, to another user who can read that project. In such a case, the token is revoked when the job ends, so (unlike the local job case described above) there is a limited window during which the second user can take advantage of the leaked token.
Updated by Peter Amstutz