Seaf-cli: security problem: web-api auth token visible via e.g. ps command

Seafile Client
#1

Hi everybody,

I just installed seaf-cli on one of our Linux-servers. This worked like a charm and some tests I did with our server worked really great. As our server uses SSO we have to use -T <web-api auth token> for commands that need authentication.

As this is a multi-user system there is a security problem wrt that: when some other users run e.g. ps -eaf while I run e.g. seaf-cli sync ... -T <my web-api auth token> they see my full command including my authorisation token!

Is there a possibility to avoid this problem?
E.g. by storing the auth-token in the configuration somehow?
Or by asking for it interacitvely when it’s missing?

Regards,
Hermann

#2

Currently no alternative. We’ll add config file in future version.

#3

Thanks @Jonathan!

Are you already working on this?
Are you interested in a pull request on git-hub?

I looked into the code and I am thinking about implementing it like this:

  1. Change the code such that whenever the web-api token is “needed” it get’s read from the value of the configuration key web_api_auth_token (or do you prefer another name?). If -T is specified that takes precedence.
  2. That means one can use seaf-cli config -k web_api_auth_token -v <Token-Value> once and never again has to specify the token on the command-line.

What do you think?

#4

Yes. It would be great if you can contribute a PR.

If we’re to implement it, we’ll likely do it like this:

  1. The configuration file would be in ini format, similar to other seafile config files. A new option for the command line will be added, such as -C <config-file> to specify the file path.
  2. A few more options can be added into the config file, such as server name and user name.
#5

For the sake of completeness: the URL of the pull-request: https://github.com/haiwen/seafile/pull/2643