GNU bug report logs - #5664
view-lossage may show passwords and sensitive information

Previous Next

Package: emacs;

Reported by: Andreas Roehler <andreas.roehler <at> online.de>

Date: Mon, 1 Mar 2010 08:17:02 UTC

Severity: normal

Done: Michael Albinus <michael.albinus <at> gmx.de>

Bug is archived. No further changes may be made.

Full log

Message #34 received at 5664 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Röhler <andreas.roehler <at> easy-emacs.de>
To: Thierry Volpiatto <thierry.volpiatto <at> gmail.com>
Cc: Chong Yidong <cyd <at> stupidchicken.com>, 5664 <at> debbugs.gnu.org,
	Stefan Monnier <monnier <at> iro.umontreal.ca>
Subject: Re: bug#5664: 23.1.92; view-lossage
Date: Sun, 07 Mar 2010 16:22:36 +0100

Thierry Volpiatto wrote:
> Andreas Roehler <andreas.roehler <at> online.de> writes:
> 
>> Chong Yidong wrote:
>>> Andreas Roehler <andreas.roehler <at> online.de> writes:
>>>
>>>> emacs -q
>>>> M-x shell
>>>> /bin/su at shell prompt
>>>>
>>>> prompt for PW arrives, when PW putted in, its visible at the screen
>>>>
>>>> root-shell (bash) arrives
>>>>
>>>> M-x report-emacs-bug
>>>>
>>>> View lossage displays root-password, replaced for this report by
>>>> MY-PW-SHOWN-HERE
>>> I'm afraid I can't reproduce this.  One possibility is that you are
>>> using a locale where the password prompt is given in a language that
>>> comint-watch-for-password-prompt does not recognize.  This is a known
>>> issue; customize comint-password-prompt-regexp to add the
>>> locale-dependent password prompt(s) to the list of recognized prompts.
>>>
>> Thanks, that helps here.
>> However, think there is a bug though. If Emacs is able to display the prompt delivered,
>> it should adapt its behavior independently from the regexp already customized.
> 
> As Chong said you must use a non--english/us locale.
> I have the same problem here, my prompt is not "Password" but "Mot de
> Passe", due to my french locale.
> All the prompts for password (e.g su/sudo) in the emacs shell use a
> cryptic regex.
> Setting it is a pain, i always have undesired side effects trying to set
> them. (shell and eshell).
> 
> For shell (don't work in eshell):
> A workaround for "su" is creating an alias in bashrc:
> 
> alias su="LC_ALL=C su -l"
> 
> For sudo:
> alias sudo="sudo -p Password: "
> 
> For eshell i didn't find good solution appart putting in my .emacs:
> 
> (setenv "LC_ALL" "C")
> 
> Work fine but may create other encoding problems in others places.
> 
> The best thing should be that all emacs shell don't obey to locale
> setting for password prompt, i thing the word "password" in
> international well known.
>   

Hi, thanks,

as long it's not solved at the source of the matter, I'd prefere the last.
Better just one prompt than undergoing security-risks.

Andreas
This bug report was last modified 11 years and 119 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.