Go back to the web site

Security Implications

This document describes security related issues administrators need to be aware of when using Machinery.


Machinery inspects several parts of a system which are covered by Machinery's scopes. Information about scopes is listed here.

Users of Machinery who inspect systems need to be aware of the security implications to take the right decisions on how to protect the retrieved data.

Retrieval of Data

Machinery transfers data from one end point to another via SSH (Secure Shell, using public key authentication).

Depending on the scope, Machinery collects information about files on the system. Additionally, when the --extract-files option is given for the inspect command, not only the meta data about the files (e.g. permission bits, owner, group etc .) but also the file content is extracted. Machinery does not distinguish between sensitive data (such as private keys or password files). That means that everyone with access to the system description has automatically access to all extracted files and contained sensitive data.

root/sudo Privileges

An inspection can only be done, when the user on the inspected system is either root or has sudo privileges. Information about the required sudo configuration can be found here.

Storage of Data

Access Restrictions

After an inspection has been completed, the directory where the description is stored is made readable only for the user. The data is not encrypted by Machinery.

Used Permission Bits

When Machinery extracts data, it sets permission bits for files and directories as follows:

Permission Bits Used for ...
0700 ... directories inside the description directory
0600 ... for files inside the description directory

Accessing System Descriptions

By default, all system descriptions are stored in the directory .machinery in the home directory of the user running Machinery. The directory can be redefined by the environment variable $MACHINERY_DIR. Each description has its own subdirectory. There is a manifest.json file in each description directory which contains the data of the inspection. Extracted files are stored in separate subdirectories inside the same description directory.

Presentation of Data

There are several ways how data can be presented to one or more users. The user has the option to either start a web server and view descriptions or view the descriptions only in the console.

The following commands are used to present data to users:

All of the commands listed above also have a --html option. When this option is used, Machinery starts a web server what will listen on the IP address The serve command offers also a --public option which makes the server listen on all configured IP addresses.

WARNING: When making the server reachable from the outside, users can modify the link to access also other descriptions. There is currently no way to restrict the access to only one description.

The serve command also allows the user to specify a port via the --port option. When no port is specified, the default port which is configured in the machinery config file in ~/.machinery/machinery.config) will be taken.

Export of Data


The export-autoyast command creates an AutoYaST profile for an automated installation. This will result in tar balls containing the extracted files from the system description. These files potentially contain sensitive data (e.g. passwords). This fact needs to be kept in mind, especially if these files are copied to a web server for an AutoYaST installation via HTTP.


The program kiwi allows you to build OS images for deployment. Machinery gives you the opportunity to export a KIWI description. This description can be used to build an image via Kiwi. The export-kiwi command creates a directory, where it stores the Kiwi configuration and the files of a system description. These files potentially contain sensitive data (e.g. passwords).


The created image potentially contains sensitive data (e.g. passwords) from extracted files.


The uploaded image potentially contains sensitive data (e.g. passwords) from extracted files.