Config file (passbolt.php) shows Password in Clear

Hello, I recently installed passbolt in a centos 7, then everything is fine, but I’m looking at the installation directory in the route:
/ var / www / passbolt / config
And I see that the file: passbolt.php
It shows the passwords of the Mariadb database and the Exchange server for clear mail, we have completed this installation for a very large company, and we need to know why the php file shows the passwords in clear …

Part of the output of the file:
// Database configuration.
‘Datasources’ => [
‘default’ => [
‘host’ => ‘localhost’,
‘port’ => ‘3306’,
‘username’ => ‘root’,
‘password’ => ‘SHOWPASSHERE *’,
‘database’ => ‘passbolt’,
],
],

// Email configuration.
'EmailTransport' => [
    'default' => [
        'host' => 'ges-exr.domain.com',
        'port' => 587,
        'username' => 'alprieto',
        'password' => 'SHOWPASSHERE!',
        // Is this a secure connection? true if yes, null if no.
        'tls' => null,
        // 'timeout' => 30,
        // 'client' => null,
        // 'url' => null,

Where “SHOWPASSHERE” is the password in clear, but modified for the query …
Any ideas???

Thank you

Hi @Witty,

Quick disclaimer : I’m not a Passbolt developer, just a user that happens to also develop on other FOSS projects.

The file you are pointing to is a configuration file, used for the Passbolt server to connect to your Mariadb database and to your Exchange server for sending mails. Those functionalities are at the core of the application and are used pretty much every time a user interacts with the app. Having those passwords encrypted in the configuration file might represent a lot of overhead for Passbolt, as Passbolt is more about securing the secrets it contains rather than the secrets it needs to function properly :slight_smile:

From my experience, when deploying web applications, people tend to consider that the database passwords (or mail passwords) won’t need to be encrypted in the config files as they stay in a “trusted” zone (that is, the server hosting the web application itself).

Why Closed? the problem persists and I need to fix it

@Witty we do not consider this an issue, this is pretty standard for a web application to have database and email credentials (or security salt, etc.) in clear, since even if you encrypt these they will need to be decrypted on the server by the same user running the application. This configuration files should only be readable by the web server user (for example they are not in the webroot directory therefore not readable by say the end users).

If you want to “hide” the mysql password you can use other solutions. Out of the box you can use environment variables (arguably this is worst in terms of security than having the credentials in a file, but well, it’s up to you), checkout the docker repository for a list of supported variables: https://github.com/passbolt/passbolt_docker#environment-variables-reference . You can also edit the bootstrap process to replace/set these credentials from another systems whatever tools you have at end like Vault, or like AWS secure token service, Google Cloud engine AIM, etc. This is not supported but it’s definitely feasible.

1 Like

Ok, more or less understand what they refer to a configuration file within a secure server, but of course see configuration files in this case of PHP with passwords in “Clean” does not give much confidence.

I think the question is more or less solved, since sending them to a file or encrypting it at the end would be very cumbersome.

Thank you very much for the clarification

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.