Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:102090
Return-Path: <tom@ctors.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 71453 invoked from network); 3 May 2018 18:29:44 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 May 2018 18:29:44 -0000
Authentication-Results: pb1.pair.com smtp.mail=tom@ctors.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=tom@ctors.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ctors.net designates 209.85.213.47 as permitted sender)
X-PHP-List-Original-Sender: tom@ctors.net
X-Host-Fingerprint: 209.85.213.47 mail-vk0-f47.google.com  
Received: from [209.85.213.47] ([209.85.213.47:45028] helo=mail-vk0-f47.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 38/A7-32200-6155BEA5 for <internals@lists.php.net>; Thu, 03 May 2018 14:29:44 -0400
Received: by mail-vk0-f47.google.com with SMTP id x66-v6so7332874vka.11
        for <internals@lists.php.net>; Thu, 03 May 2018 11:29:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ctors-net.20150623.gappssmtp.com; s=20150623;
        h=mime-version:from:date:message-id:subject:to;
        bh=Kf5hHh9EwT2gqQJApEIuU2gh1KXSMX6FRl1vcGepfzA=;
        b=gzLdsBs09F9Z/jeHCwVLg8lgsYH0iChkc9fOYI+JdHuElS8hMGGEkqwPvgC+S82Zuq
         Ov+30ovKTpM1fES72wf3pFb8KAhKHtywG5ZKVi7hOqwev20yzNSg3ylumJmtz2iq27zR
         7efhiZSgcuXPYmrAdgG75PrW72TSnDgXovpL+pwq5RyixY5AeZLgz3mcy8KjGJ8shDre
         Zfx+tQwwAwDoC4GVnnIexZ8XwtflqEN53IfOvSfrxWOt5HPhWL36Qoi4ZC65BxzQs9mI
         euT+NPqe+yOvAbhbCC62SltbjzwiSl88xf2gquDOnmt6n3ZlQOJkQenyM2w8H5YDpeLI
         MjzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=Kf5hHh9EwT2gqQJApEIuU2gh1KXSMX6FRl1vcGepfzA=;
        b=g1UOCYaYD6YgMf7ZG5Nlpg4wHbIQIB6rYmv+dBrF+iPYRj1NH8Vpo8on1fXIjomJUw
         hSoyR5Mroayx5kcG6PVjlJPHnACXGOaP6HlBtuWeTaLYLDIbCiadU5tQrS+8q0vWsEXn
         oE9+wwIP8GBwHYbUND/eEf/FL6poHBdIJCEKQyd3hiTzinYdD0nBxCYA2EmqwU8FirdW
         2rZRrpj940yfOIYO+OQnKBAnPJoTs03qJauogBTOkwq/7i1/IME/IAPyZt6v9qHJ+wI9
         90DUDSb2QUeu44L5FMGnyOz0heNNZOihWhm+Ks2too+MoIPeML22oX7gpmArX9Z1xB03
         vLiA==
X-Gm-Message-State: ALQs6tDE+488kTdS6kJKlExFFlYb72oKvUPiIWvbmawoZ3E1bq/IRzHr
	imGvg+8dPL8qoF7YQVhobTvPciATX6/m7e4LnuAEaWH+bJ8=
X-Google-Smtp-Source: AB8JxZrVAmHntRkPO1xf3P5fUNVLhuqtuEq/If4zE037zQuQM5vkIyruI4XU7dM9r4FeaQp9BkGfJfbbWt8YNAM71RM=
X-Received: by 2002:a1f:c0c1:: with SMTP id q184-v6mr17703910vkf.144.1525372179953;
 Thu, 03 May 2018 11:29:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.78.69 with HTTP; Thu, 3 May 2018 11:29:39 -0700 (PDT)
X-Originating-IP: [94.226.33.191]
Date: Thu, 3 May 2018 20:29:39 +0200
Message-ID: <CAN+C6bU3BJRmKpxLjaXMaJOKbKq1-+uG-=+xHQn=dSumsk_JPg@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000efd097056b51624f"
Subject: [PHP-DEV] More secure credentials storage
From: tom@ctors.net (Tom Van Looy)

--000000000000efd097056b51624f
Content-Type: text/plain; charset="UTF-8"

Hi

I ended up in a discussion about using secure password storage today and
started thinking about solutions for the problem. Some frameworks suggest
putting all kinds of credentials in environment variables. This practice
seems to originate from a recommendation on 12factor.net.

The problem I see with this practice is that it is so easy to leak
environment variables. Like if you are running a phpinfo() page somewhere
that is not a very big deal until it contains all your passwords and API
keys in plain text. Jikes!

I favor putting credentials in config files that are outside of the
document root. That is also not perfect but at least the risk to leak them
from the environment is mitigated.

Now, I understand that the practice of using environment variables comes in
very handy if you use containers. Just launch your app in a container and
pass it some information about the environment, credentials, ... and you
can reuse the same container in the entire DTAP cycle.

So, how can we improve this situation?

As a PHP FPM user, my solution would be to add a sec_env[] configuration
instruction to the pool configuration that reads the configured value from
the environment, puts it in a more secure location and immediately unsets
it in the environment. Applications will need to read the credentials from
somewhere else, we can provide userland functions for that.

The credentials can be somewhere in the memory of the child process, or
maybe even better is to fork a separate process just to keep the sensitive
variables. The children would be able to communicate with this process over
domain sockets ...

The main intention is to get the credentials out of the environment
variables. You need to setup a connection to a database or API? Get a
password from the secure storage, make the connection and get rid of the
password.

Some side notes:

If it's an environment variable like FRAMEWORK_ENV=prod, which I think is
the valid use-case for environment variables, we don't bother with it.

For CLI applications on the other hand this issue seems less relevant, so I
did not try to solve that problem.

I am aware of tools like Vault, etcd, ... but they solve a different
problem and have their own caveats IMO.

I will be the one writing the proof of concept if this idea would make it
to an RFC. There are still some things I need to figure out but it seems
doable.

I'm looking forward to your feedback.

Kind regards,

Tom Van Looy

ps: today is international password day. What day is better to start a
discussion about secure password storage :-)

--000000000000efd097056b51624f--