Reduce risk of oauth token compromise by storing tokens in $XDG_RUNTIME_DIR #28810
Description
Related command
az login
Is your feature request related to a problem? Please describe.
On Linux Azure CLI stores oauth tokens unencrypted on disk. This is understandable on headless Linux because headless Linux does not provide a standardized credential store. However, storing oauth tokens unencrypted on disk remains a security concern. This is particularly true for Azure CLI because it gives access to a wide range of Azure services.
What can be done ?
One simple improvement would be to store oauth tokens under directory $XDG_RUNTIME_DIR when this exists.
Many Linux distributions use systemd and create a user session when the user logs in or starts an SSH session. When the user session is first started the system creates a tmpfs runtime filesystem and sets $XDG_RUNTIME_DIR to point to it. When the user's last session ends the system deletes the user's runtime filesystem. This is observed on both Ubuntu and Mariner (with systemd).
Storing oauth tokens under $XDG_RUNTIME_DIR would have two immediate benefits:
- The runtime filesystem uses tmpfs so oauth tokens stored in $XDG_RUNTIME_DIR are not stored on disk.
- The runtime filesystem is deleted when the user sessions terminate, so oauth tokens stored in $XDG_RUNTIME_DIR are deleted at the end of the user session.
Side effects of the proposed change:
- Users who exit an SSH session and start a new SSH session need to re-authenticate.
- Processes left running after the SSH session ends (e.g. using nohup or tmux) lose access to oauth tokens.
If these side effects are unacceptable we could allow users to override this behavior and store oauth tokens under $HOME rather than $XDG_RUNTIME_DIR (at the cost of persistent oauth tokens on disk). For example, we use $AZURE_RUNTIME_DIR alongside the existing $AZURE_CONFIG_DIR to control where runtime information such as oauth tokens are stored.
Describe the solution you'd like
When storing unencrypted oauth tokens on Linux, check whether $XDG_RUNTIME_DIR is set and refers to a valid directory, and if so store oauth tokens under $XDG_RUNTIME_DIR rather than $HOME.
See also git-credential-manager issue 1595. Note that Azure CLI gives access to git repositories in Azure DevOps (via az account get-access-token) so if Azure CLI is weaker than Git Credential Manager then it bypasses and undermines the security that Git Credential Manager provides.
Describe alternatives you've considered
Azure CLI could go further and secure oauth tokens using Gnome Keyring when available (as Git Credential Manager does). However Gnome Keyring is really intended for use in Linux desktop, and headless Linux is used much more widely than Linux desktop. Using $XDG_RUNTIME_DIR would improve both cases and should be relatively easy. Using Gnome Keyring in the desktop case could be added later.
Additional context
None.