Summary
Users with a ~/.elasticrc.yml at 0644 permissions containing inline secrets see the following warning on every single command, including harmless ones like elastic version and elastic sanitize:
Warning: config file "~/.elasticrc.yml" has permissions 644 and contains inline
secrets. Run `chmod 0600 ...` to restrict access, or migrate secrets into the OS
keychain via `elastic config context edit`.
Showing a security warning on every invocation trains users to ignore it.
Proposed fix
Emit the warning at most once per process. A module-level boolean in the config loader or a simple check at the call site is sufficient -- no disk state needed:
let permissionWarnEmitted = false
if (!permissionWarnEmitted) {
process.stderr.write(`Warning: ...`)
permissionWarnEmitted = true
}Alternatively, only warn when the command actually reads a secret value from the file (i.e. when a $(keychain:...) expression is absent and a raw secret string is present).
Notes
- The warning itself is correct and should stay -- it just needs to fire once.
- The
elastic config context edit remediation path is the right long-term fix and the warning message already points users there.
Summary
Users with a
~/.elasticrc.ymlat0644permissions containing inline secrets see the following warning on every single command, including harmless ones likeelastic versionandelastic sanitize:Showing a security warning on every invocation trains users to ignore it.
Proposed fix
Emit the warning at most once per process. A module-level boolean in the config loader or a simple check at the call site is sufficient -- no disk state needed:
Alternatively, only warn when the command actually reads a secret value from the file (i.e. when a
$(keychain:...)expression is absent and a raw secret string is present).Notes
elastic config context editremediation path is the right long-term fix and the warning message already points users there.