GNU bug report logs - #5664
view-lossage may show passwords and sensitive information

Previous Next

Package: emacs;

Reported by: Andreas Roehler <andreas.roehler <at> online.de>

Date: Mon, 1 Mar 2010 08:17:02 UTC

Severity: normal

Done: Michael Albinus <michael.albinus <at> gmx.de>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Thierry Volpiatto <thierry.volpiatto <at> gmail.com>
To: bug-gnu-emacs <at> gnu.org
Subject: bug#5664: 23.1.92; view-lossage
Date: Sun, 07 Mar 2010 16:52:24 +0100

Andreas Röhler <andreas.roehler <at> easy-emacs.de> writes:

> Thierry Volpiatto wrote:
>> Andreas Roehler <andreas.roehler <at> online.de> writes:
>> 
>>> Chong Yidong wrote:
>>>> Andreas Roehler <andreas.roehler <at> online.de> writes:
>>>>
>>>>> emacs -q
>>>>> M-x shell
>>>>> /bin/su at shell prompt
>>>>>
>>>>> prompt for PW arrives, when PW putted in, its visible at the screen
>>>>>
>>>>> root-shell (bash) arrives
>>>>>
>>>>> M-x report-emacs-bug
>>>>>
>>>>> View lossage displays root-password, replaced for this report by
>>>>> MY-PW-SHOWN-HERE
>>>> I'm afraid I can't reproduce this.  One possibility is that you are
>>>> using a locale where the password prompt is given in a language that
>>>> comint-watch-for-password-prompt does not recognize.  This is a known
>>>> issue; customize comint-password-prompt-regexp to add the
>>>> locale-dependent password prompt(s) to the list of recognized prompts.
>>>>
>>> Thanks, that helps here.
>>> However, think there is a bug though. If Emacs is able to display the prompt delivered,
>>> it should adapt its behavior independently from the regexp already customized.
>> 
>> As Chong said you must use a non--english/us locale.
>> I have the same problem here, my prompt is not "Password" but "Mot de
>> Passe", due to my french locale.
>> All the prompts for password (e.g su/sudo) in the emacs shell use a
>> cryptic regex.
>> Setting it is a pain, i always have undesired side effects trying to set
>> them. (shell and eshell).
>> 
>> For shell (don't work in eshell):
>> A workaround for "su" is creating an alias in bashrc:
>> 
>> alias su="LC_ALL=C su -l"
>> 
>> For sudo:
>> alias sudo="sudo -p Password: "
>> 
>> For eshell i didn't find good solution appart putting in my .emacs:
>> 
>> (setenv "LC_ALL" "C")
>> 
>> Work fine but may create other encoding problems in others places.
>> 
>> The best thing should be that all emacs shell don't obey to locale
>> setting for password prompt, i thing the word "password" in
>> international well known.
>>   
>
> Hi, thanks,
>
> as long it's not solved at the source of the matter, I'd prefere the last.
> Better just one prompt than undergoing security-risks.
Agree.
Also, since eshell su/sudo have changed recently i am unable to use an
eshell alias for sudo (with -p option).

-- 
Thierry Volpiatto
Gpg key: http://pgp.mit.edu/
This bug report was last modified 11 years and 119 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.