Hi everybody,
I just installed seaf-cli on one of our Linux-servers. This worked like a charm and some tests I did with our server worked really great. As our server uses SSO we have to use -T <web-api auth token>
for commands that need authentication.
As this is a multi-user system there is a security problem wrt that: when some other users run e.g. ps -eaf
while I run e.g. seaf-cli sync ... -T <my web-api auth token>
they see my full command including my authorisation token!
Is there a possibility to avoid this problem?
E.g. by storing the auth-token in the configuration somehow?
Or by asking for it interacitvely when it’s missing?
Regards,
Hermann
Currently no alternative. We’ll add config file in future version.
Thanks @Jonathan!
Are you already working on this?
Are you interested in a pull request on git-hub?
I looked into the code and I am thinking about implementing it like this:
- Change the code such that whenever the web-api token is “needed” it get’s read from the value of the configuration key
web_api_auth_token
(or do you prefer another name?). If -T
is specified that takes precedence.
- That means one can use
seaf-cli config -k web_api_auth_token -v <Token-Value>
once and never again has to specify the token on the command-line.
What do you think?
Yes. It would be great if you can contribute a PR.
If we’re to implement it, we’ll likely do it like this:
- The configuration file would be in ini format, similar to other seafile config files. A new option for the command line will be added, such as
-C <config-file>
to specify the file path.
- A few more options can be added into the config file, such as server name and user name.
For the sake of completeness: the URL of the pull-request: https://github.com/haiwen/seafile/pull/2643