Linux history exposes Vault/secret


This is more of a question since I didn’t manage to find it anywhere and is related to image GitHub - hashicorp/vault-k8s: First-class support for Vault and Kubernetes..

When one works “semi-manually” I believe it is possible to retrieve secrets either directly through Vault or looking at history itself. What I mean by “semi-manually” is with for example exec into vault pod (kubectl exec -it vault-0 -- sh) and either:

  • enter export VAULT_TOKEN
  • enter vault kv put ...

What this in turn allows is for someone else with access to cluster to also exec into vault pod and do:

  • history | grep export to get token and reuse it (and look all secrets this token has access to)
  • history | grep "kv put" to get secret directly

This can be of course mitigated by:

  • deleting token
  • deleting pod where either token or secret was entered
  • delete history file in pod (echo "" > ~/.ash_history)
  • using scripts to enter secrets

Note that neither space prefix nor history -d works in this image. This probably also affects non-k8s where “deleting pod” might be less trivial.

Now, this might be also due to misuse on my part. I am sorry if I missed question or something in documentation that mentions this shouldn’t be used in such a way :slight_smile:

Best regards