From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 05 07:27:16 2011 Received: (at submit) by debbugs.gnu.org; 5 Apr 2011 11:27:16 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Q74Pk-00062a-1g for submit@debbugs.gnu.org; Tue, 05 Apr 2011 07:27:16 -0400 Received: from emh03.mail.saunalahti.fi ([62.142.5.109]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Q74Ph-00062M-6s for submit@debbugs.gnu.org; Tue, 05 Apr 2011 07:27:14 -0400 Received: from saunalahti-vams (vs3-12.mail.saunalahti.fi [62.142.5.96]) by emh03-2.mail.saunalahti.fi (Postfix) with SMTP id 49ED2EBD05 for ; Tue, 5 Apr 2011 14:27:05 +0300 (EEST) Received: from emh03.mail.saunalahti.fi ([62.142.5.109]) by vs3-12.mail.saunalahti.fi ([62.142.5.96]) with SMTP (gateway) id A046692F249; Tue, 05 Apr 2011 14:27:05 +0300 Received: from cante.net (a91-155-187-216.elisa-laajakaista.fi [91.155.187.216]) by emh03.mail.saunalahti.fi (Postfix) with ESMTP id 20861158A65 for ; Tue, 5 Apr 2011 14:27:03 +0300 (EEST) From: Jari Aalto To: submit@debbugs.gnu.org Subject: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing Mail-Copies-To: poster Date: Tue, 05 Apr 2011 14:27:03 +0300 Message-ID: <87fwpxdjlk.fsf@blue.sea.net> MIME-Version: 1.0 Content-Type: text/plain X-Antivirus: VAMS X-Spam-Score: -2.6 (--) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -2.6 (--) Package: emacs Version: 23.2+1-7 Severity: serious Tags: security There is a big security problem with sql.el: M-x sql-mysql At command line, anyone in multi-user environment can dig out the passwords: $ ps -ef -o user,pid,args | grep mysql # ps(1) under SUN/Solaris foo 9599 /usr/local/bin/mysql --user=foo --password=123456 --host=db.example.com bar 3732 /usr/local/bin/mysql --user=bar --password=abcdef --host=db.example.com Jari P.S mysql(1) mentions that you can set database options in ~/.my.cnf file. MySQL case, there is in manual page: -- System Information Debian Release: wheezy/sid APT Prefers testing APT policy: (990, testing) (500, unstable) (1, experimental) Architecture: amd64 Kernel: Linux picasso 2.6.32-5-amd64 #1 SMP Wed Jan 12 03:40:32 UTC 2011 x86_64 GNU/Linux Locale: LANG=en_US.UTF-8, LC_ALL= -- Versions of packages `emacs depends on'. Depends: emacs23 23.2+1-7 GNU Emacs is the extensible self-documenting emacs23-lucid 23.2+1-7 GNU Emacs is the extensible self-documenting emacs23-nox 23.2+1-7 GNU Emacs is the extensible self-documenting From debbugs-submit-bounces@debbugs.gnu.org Tue Feb 28 18:38:37 2012 Received: (at 8427) by debbugs.gnu.org; 28 Feb 2012 23:38:37 +0000 Received: from localhost ([127.0.0.1]:54865 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1S2Wcq-0002rU-8r for submit@debbugs.gnu.org; Tue, 28 Feb 2012 18:38:37 -0500 Received: from nm13-vm1.bullet.mail.ne1.yahoo.com ([98.138.91.62]:43919) by debbugs.gnu.org with smtp (Exim 4.72) (envelope-from ) id 1S2Wa6-0002mI-4F for 8427@debbugs.gnu.org; Tue, 28 Feb 2012 18:35:48 -0500 Received: from [98.138.90.49] by nm13.bullet.mail.ne1.yahoo.com with NNFMP; 28 Feb 2012 23:35:25 -0000 Received: from [98.138.89.171] by tm2.bullet.mail.ne1.yahoo.com with NNFMP; 28 Feb 2012 23:35:25 -0000 Received: from [127.0.0.1] by omp1027.mail.ne1.yahoo.com with NNFMP; 28 Feb 2012 23:35:25 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 876842.51468.bm@omp1027.mail.ne1.yahoo.com Received: (qmail 39559 invoked by uid 60001); 28 Feb 2012 23:35:25 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1330472125; bh=RwqbTUqDlwUMp4qSuP6cZMcDUEax4gMMn81VrwYoHfs=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:Message-ID:Date:From:Reply-To:To:MIME-Version:Content-Type; b=sBVoVgdlMtwqqwLJxLZcPRiXojfe+hnCS5yJskoZVNE2ocloEfce0Af34JGOXSuo5YpFVOFEBVJzHt2VSk3XAqGEuqh92frT4me65vH9uzIR89Olz4f7xXden4aPiCpzTYTpid65lv9yetP9/b1gui+mlstDg2lfru3Cu+4B5eI= X-YMail-OSG: WWZcQeMVM1mBS2cwxLSXSPkhoUP6mGrPvoEehcSWGzqyz44 otRTfsLUVoMYYg3WZHkPojK1eqMQbHyJIE89f6IsRWseqW4RYElYNLj.k3S7 9GPPe_24bjJEgTw60xOMtiMH9LjwJBFjkn64EIKrqo6mhfzVc1O9nMGqYndH 3kDJcEoTmwc3jP2FLUMYoRnwKqGAjmraE6sQ2VzD1P7BQ8eTJgxuGSN5Jmwp 98y.fs4OCAJ580kaQCRHQEPuOFezdEcVjxasavXs0ZqHAioxWxsytyfTm.XV nY4v27BqVaAzoKLHFlBslH6bMwt3yptKidpG0CjH9tiO0D1sfuxDDyFofzqq dEuthBWcudF6XBUU344FK6dI2h3Fzv2op5Y9p1Fyp71L1QbzV4_Y7MrV5_8. rmiBMXy_qUJg2nBWsALce56NYMcYPul7wgefjwCBF_T2VjgXmnWFDKhl5vQ- - Received: from [98.216.52.54] by web126004.mail.ne1.yahoo.com via HTTP; Tue, 28 Feb 2012 15:35:25 PST X-RocketYMMF: mmaug X-Mailer: YahooMailWebService/0.8.116.338427 Message-ID: <1330472125.33805.YahooMailNeo@web126004.mail.ne1.yahoo.com> Date: Tue, 28 Feb 2012 15:35:25 -0800 (PST) From: Michael Mauger To: "8427@debbugs.gnu.org" <8427@debbugs.gnu.org> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="1688457910-1661909595-1330472125=:33805" X-Spam-Score: 2.9 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This is not a problem with just sql-mysql, its an issue with all database products that require a password. MySql is one of the few that covers their tracks after they start up. When sql.el starts up one of these product interpreters that require a password, it embeds the password in the command line. If the operating system, such as GNU/Linux, displays the full command line of executing processes, the vulnerability exists. [...] Content analysis details: (2.9 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [98.138.91.62 listed in list.dnswl.org] 3.0 GOT_NO_SUBJECT No real subject -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 HTML_MESSAGE BODY: HTML included in message 1.8 MISSING_SUBJECT Missing Subject: header 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid X-Debbugs-Envelope-To: 8427 X-Mailman-Approved-At: Tue, 28 Feb 2012 18:38:20 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: Michael Mauger List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: 2.9 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This is not a problem with just sql-mysql, its an issue with all database products that require a password. MySql is one of the few that covers their tracks after they start up. When sql.el starts up one of these product interpreters that require a password, it embeds the password in the command line. If the operating system, such as GNU/Linux, displays the full command line of executing processes, the vulnerability exists. [...] Content analysis details: (2.9 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 3.0 GOT_NO_SUBJECT No real subject -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [98.138.91.62 listed in list.dnswl.org] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 HTML_MESSAGE BODY: HTML included in message 1.8 MISSING_SUBJECT Missing Subject: header 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid --1688457910-1661909595-1330472125=:33805 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable This is not a problem with just sql-mysql, its an issue with all database p= roducts that require a password. =A0MySql is one of the few that covers the= ir tracks after they start up. When sql.el starts up one of these product i= nterpreters that require a password, it embeds the password in the command = line. =A0If the operating system, such as GNU/Linux, displays the full comm= and line of executing processes, the vulnerability exists.=0A=0AThe alterna= tive is to rely upon the operating system's authentication and authorizatio= n so that explicit credentials do not need to be passed to the command inte= rpreter on the command line. =A0The one other solution provided by a couple= of database products allow the credentials to be sent via an I/O channel w= hich would hide them from prying eyes, but may be more difficult to support= cross platform.=0A=0AI'm open to including a warning about the potential v= ulnerability -- wording suggestions appreciated. =A0Alternative solutions a= lso welcome. --1688457910-1661909595-1330472125=:33805 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
This is not a problem with = just sql-mysql, its an issue with all database products that require a pass= word.  MySql is one of the few that covers their tracks after they sta= rt up. When sql.el starts up one of these product interpreters that require= a password, it embeds the password in the command line.  If the opera= ting system, such as GNU/Linux, displays the full command line of executing= processes, the vulnerability exists.

The alternat= ive is to rely upon the operating system's authentication and authorization= so that explicit credentials do not need to be passed to the command inter= preter on the command line.  The one other solution provided by a coup= le of database products allow the credentials to be sent via an I/O channel= which would hide them from prying eyes, but may be more difficult to support cross platform.

I'm open to including a w= arning about the potential vulnerability -- wording suggestions appreciated= .  Alternative solutions also welcome.
--1688457910-1661909595-1330472125=:33805-- From debbugs-submit-bounces@debbugs.gnu.org Thu Jan 03 13:29:15 2013 Received: (at control) by debbugs.gnu.org; 3 Jan 2013 18:29:16 +0000 Received: from localhost ([127.0.0.1]:41878 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1TqpXX-0001R4-5s for submit@debbugs.gnu.org; Thu, 03 Jan 2013 13:29:15 -0500 Received: from fencepost.gnu.org ([208.118.235.10]:55019) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1TqpXV-0001Qy-K0 for control@debbugs.gnu.org; Thu, 03 Jan 2013 13:29:13 -0500 Received: from rgm by fencepost.gnu.org with local (Exim 4.71) (envelope-from ) id 1TqpXS-0006HM-Tu for control@debbugs.gnu.org; Thu, 03 Jan 2013 13:29:11 -0500 Date: Thu, 03 Jan 2013 13:29:10 -0500 Message-Id: Subject: control message for bug 8427 To: X-Mailer: mail (GNU Mailutils 2.1) From: Glenn Morris X-Spam-Score: -4.2 (----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -4.2 (----) severity 8427 important tag 8427 security From debbugs-submit-bounces@debbugs.gnu.org Wed Mar 05 21:06:20 2014 Received: (at 8427) by debbugs.gnu.org; 6 Mar 2014 02:06:20 +0000 Received: from localhost ([127.0.0.1]:52186 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WLNhT-0003s8-GU for submit@debbugs.gnu.org; Wed, 05 Mar 2014 21:06:19 -0500 Received: from fencepost.gnu.org ([208.118.235.10]:52055) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WLNhR-0003ry-D3 for 8427@debbugs.gnu.org; Wed, 05 Mar 2014 21:06:18 -0500 Received: from rgm by fencepost.gnu.org with local (Exim 4.71) (envelope-from ) id 1WLNhQ-0000j3-98; Wed, 05 Mar 2014 21:06:16 -0500 From: Glenn Morris To: 8427@debbugs.gnu.org Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing References: <87fwpxdjlk.fsf@blue.sea.net> X-Spook: NSA data haven offensive information warfare JPL Jiang X-Ran: F;RJI:_;}hEgZQPn-8D51dS>t2\LOletfRnw7q]<8mG-8tVpwI-g~.i0vu86|NuqcU\4w9 X-Hue: red X-Attribution: GM Date: Wed, 05 Mar 2014 21:06:16 -0500 In-Reply-To: <87fwpxdjlk.fsf@blue.sea.net> (Jari Aalto's message of "Tue, 05 Apr 2011 14:27:03 +0300") Message-ID: <2swqg8rsh3.fsf@fencepost.gnu.org> User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 8427 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Jari Aalto wrote: > There is a big security problem with sql.el: > > M-x sql-mysql > > > At command line, anyone in multi-user environment can dig out the > passwords: > > $ ps -ef -o user,pid,args | grep mysql # ps(1) under SUN/Solaris > foo 9599 /usr/local/bin/mysql --user=foo --password=123456 --host=db.example.com > bar 3732 /usr/local/bin/mysql --user=bar --password=abcdef --host=db.example.com Apparently, no they cannot, since mysql replaces the password characters with x's: http://www.lenzg.net/archives/256-basic-mysql-security-providing-passwords-on-the-command-line.html I tested it and it is so hidden for me. Also, with recent Linux kernels, you can enable the procfs "hidepid" feature to prevent this entire class of information leakage. So I don't think Emacs needs to do anything but maybe add a warning statement to the doc string. Downgrading bug severity accordingly. From debbugs-submit-bounces@debbugs.gnu.org Wed Mar 05 21:06:27 2014 Received: (at control) by debbugs.gnu.org; 6 Mar 2014 02:06:27 +0000 Received: from localhost ([127.0.0.1]:52189 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WLNhb-0003sV-1k for submit@debbugs.gnu.org; Wed, 05 Mar 2014 21:06:27 -0500 Received: from fencepost.gnu.org ([208.118.235.10]:52057) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WLNhZ-0003sN-R9 for control@debbugs.gnu.org; Wed, 05 Mar 2014 21:06:26 -0500 Received: from rgm by fencepost.gnu.org with local (Exim 4.71) (envelope-from ) id 1WLNhZ-0000jQ-Ic for control@debbugs.gnu.org; Wed, 05 Mar 2014 21:06:25 -0500 Date: Wed, 05 Mar 2014 21:06:25 -0500 Message-Id: Subject: control message for bug 8427 To: X-Mailer: mail (GNU Mailutils 2.1) From: Glenn Morris X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) severity 8427 normal From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 07 18:02:39 2014 Received: (at 8427) by debbugs.gnu.org; 7 Mar 2014 23:02:39 +0000 Received: from localhost ([127.0.0.1]:55329 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WM3mp-0007WV-8B for submit@debbugs.gnu.org; Fri, 07 Mar 2014 18:02:39 -0500 Received: from ironport2-out.teksavvy.com ([206.248.154.181]:24418) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WM3mn-0007WM-HN for 8427@debbugs.gnu.org; Fri, 07 Mar 2014 18:02:37 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av4EABK/CFFMCppy/2dsb2JhbABEvw4Xc4IeAQEEAVYjBQsLDiIEEhQYDSSIHgbBLY1jgycDiGGcGYFegxU X-IPAS-Result: Av4EABK/CFFMCppy/2dsb2JhbABEvw4Xc4IeAQEEAVYjBQsLDiIEEhQYDSSIHgbBLY1jgycDiGGcGYFegxU X-IronPort-AV: E=Sophos;i="4.84,565,1355115600"; d="scan'208";a="50835945" Received: from 76-10-154-114.dsl.teksavvy.com (HELO ceviche.home) ([76.10.154.114]) by ironport2-out.teksavvy.com with ESMTP/TLS/ADH-AES256-SHA; 07 Mar 2014 18:02:36 -0500 Received: by ceviche.home (Postfix, from userid 20848) id B7C97660A5; Fri, 7 Mar 2014 18:02:36 -0500 (EST) From: Stefan Monnier To: Glenn Morris Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing Message-ID: References: <87fwpxdjlk.fsf@blue.sea.net> <2swqg8rsh3.fsf@fencepost.gnu.org> Date: Fri, 07 Mar 2014 18:02:36 -0500 In-Reply-To: <2swqg8rsh3.fsf@fencepost.gnu.org> (Glenn Morris's message of "Wed, 05 Mar 2014 21:06:16 -0500") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 8427 Cc: 8427@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.3 (/) > Apparently, no they cannot, since mysql replaces the password characters > with x's: Of course, that still leaves the chars exposed during a short time window. Stefan From debbugs-submit-bounces@debbugs.gnu.org Sun Jan 07 12:54:48 2018 Received: (at 8427) by debbugs.gnu.org; 7 Jan 2018 17:54:48 +0000 Received: from localhost ([127.0.0.1]:39825 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eYF9k-0003Gk-01 for submit@debbugs.gnu.org; Sun, 07 Jan 2018 12:54:48 -0500 Received: from mail-qk0-f182.google.com ([209.85.220.182]:43000) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eYF9j-0003GY-0e for 8427@debbugs.gnu.org; Sun, 07 Jan 2018 12:54:47 -0500 Received: by mail-qk0-f182.google.com with SMTP id d202so11677111qkc.9 for <8427@debbugs.gnu.org>; Sun, 07 Jan 2018 09:54:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=ObqPoT58TUuEqeHfzM+b4wQ2Z6w3P4w2YqkOawfjsts=; b=Mxzyxrd4raOVCrUhFp9+RDgANshPrviRhROyTytIGaj7nUE5n0/SlGAG6YNjIlnasd yT6kFMwY4Z5xCx/nDiM4OY+WaPJSSLQYzWXFNQL3CsVqlBwpgfOnkQl/M3cFJqSvRIcK AZvO9nH3ZJOOKuTm3O/p+AnModTu35WbYS+S9YUxKiPPaitojNljLbpC3l+5w27LPr4W AxqTZBcuRqNXpNHYskYku17JW7tMtpFW4h/GZQTcUVlMziPs/Rr+3dxBkRSZNMwraFZS rHoixNNL8s+xsC+hIiSjSx49TkWTnjDkL3U74GlOTaVWeolnzzVXhPn8BQJEXqzp2UPX w7YA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=ObqPoT58TUuEqeHfzM+b4wQ2Z6w3P4w2YqkOawfjsts=; b=UTe5wjcmMVLSuQbdwOLQBxX/4NmnxG5mOgX2ZqMBboQnPqDdCgyoWk/7NsZBwOm7wp uFGSph0CYzUbMNOx8mKt19GGIbMVN0gt2bniU4UrfQPx+DdjqJhkFHZWnc79d2+JmQKX qKGSPsUVUPUeXy+W9/ez/noYmEY9SsvSuN74iepDCn0SQzeDkm/+jx9QI34uAPw/jzfC gIrL/Xf/XsR1HQFrb+q9nkBePXsW0yqdJnlgNxGEQd0th3IgLGuOO5ZmSeycdVk4Sphm Qi+GO7JWxI4PgVZbfjfCZjdmQ77BCEEeRZeIlF9H/+JKzAHwsFBWCUCvcyAXP9Xyyvka joCg== X-Gm-Message-State: AKwxytf0OQ3/8dfzw7grz7SFOd5a7cTcp4//BsOQLwxoznZfUBoLLdN8 1caGcERtu9mGZ2vetAluqzdpdlSx X-Google-Smtp-Source: ACJfBov99XPEDjj2Z2B3z2MpaGv79iulnFylsHUz70HS2TkszL9EhRAU+CrhYwayfYHteteQmBP8ag== X-Received: by 10.55.142.66 with SMTP id q63mr13397564qkd.346.1515347680860; Sun, 07 Jan 2018 09:54:40 -0800 (PST) Received: from ahyatt-macbookpro6.roam.corp.google.com (pool-74-108-52-224.nycmny.fios.verizon.net. [74.108.52.224]) by smtp.gmail.com with ESMTPSA id l76sm7222547qkl.30.2018.01.07.09.54.38 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 07 Jan 2018 09:54:39 -0800 (PST) From: Andrew Hyatt To: Stefan Monnier Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing References: <87fwpxdjlk.fsf@blue.sea.net> <2swqg8rsh3.fsf@fencepost.gnu.org> Date: Sun, 07 Jan 2018 12:54:31 -0500 In-Reply-To: (Stefan Monnier's message of "Fri, 07 Mar 2014 18:02:36 -0500") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (darwin) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 8427 Cc: Glenn Morris , 8427@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) This is fairly easy to fix - mysql can check to see if the user entered a blank for the password prompt, and instead of not sending a password, send just the "--password" argument so the user can enter it into the process instead of the command line. I have a fix ready to check in that works for mysql (I'm not sure which other products support that). Alternatively, we can just have a variable that controls whether passwords are asked for on the command line at all (if sql-password is unset), which could default to nil, making the security better by default. BTW, I guess the attack here is that another user process can use something like strace to snoop on emacs's child processeses and obtain the mysql password? Stefan Monnier writes: >> Apparently, no they cannot, since mysql replaces the password characters >> with x's: > > Of course, that still leaves the chars exposed during a short time window. > > > Stefan From debbugs-submit-bounces@debbugs.gnu.org Sat Oct 05 23:28:20 2019 Received: (at 8427) by debbugs.gnu.org; 6 Oct 2019 03:28:20 +0000 Received: from localhost ([127.0.0.1]:45425 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iGxDX-00086P-Nu for submit@debbugs.gnu.org; Sat, 05 Oct 2019 23:28:19 -0400 Received: from mail-pf1-f195.google.com ([209.85.210.195]:40060) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iGxDV-000869-SS for 8427@debbugs.gnu.org; Sat, 05 Oct 2019 23:28:18 -0400 Received: by mail-pf1-f195.google.com with SMTP id x127so6309069pfb.7 for <8427@debbugs.gnu.org>; Sat, 05 Oct 2019 20:28:17 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=svBcBcxNIZr4JBCN9CRz8DunOb4BN1y00G3GyhlPHsM=; b=IdOKfmZgcTQxRR7n9v7e32iNEzw6Ogi6MseO/bea/yO7/b9l/fxCHH4rmSRJ+HCfcY JqwgMMmME6mc5fcZMuQvJz/dGAyRTF3AaSVhjLmYmvgVxCAHSRbpXuxdQQVa4ahLUQ2h wZ99NhaayWt2dB1iHaXLuTGJpfGARaxDnRqkDG6QtmpB0wm7s/aWrK7I1f0KMLuXDUjS jQMmx/grDpHOCLEKUCuAhmBv89ToS2GCtAXbsW4zUVvMeHUlMZoGEunmT7U85k5H+dF7 ReV8EHruMuXUHCnQrgKfz5NbdMrKslMwKxjuRZM3P60LZGSsjN7iqvCMlUpVi+xxzes9 o5/Q== X-Gm-Message-State: APjAAAWuVg7pcPdqBSC873dWaBM/RsbDAuLsbePxx37OseeG3FIWMe44 ietL3OuER8UshvTwsttSVhJdOtUUhgo/MkhA/nA= X-Google-Smtp-Source: APXvYqyjPITvUiLsLEOKE2qMd06wA31pem+wFNodAr2/0M0G9wbpvH4tdL2OPTal90BZxyWPo/7KIyd9f0keF8nEQyE= X-Received: by 2002:a63:720f:: with SMTP id n15mr22881674pgc.198.1570332491892; Sat, 05 Oct 2019 20:28:11 -0700 (PDT) MIME-Version: 1.0 From: Stefan Kangas Date: Sun, 6 Oct 2019 05:28:00 +0200 Message-ID: Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing To: Andrew Hyatt Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 8427 Cc: Glenn Morris , 8427@debbugs.gnu.org, Stefan Monnier X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) Hi Andrew, Andrew Hyatt writes: > This is fairly easy to fix - mysql can check to see if the user entered > a blank for the password prompt, and instead of not sending a password, > send just the "--password" argument so the user can enter it into the > process instead of the command line. I have a fix ready to check in > that works for mysql (I'm not sure which other products support that). I think using an empty "--pasword" parameter sounds like the right fix. That makes mysql prompt for the password, and we could supply it there instead. I guess that's what you meant? Could you perhaps send your patch here for review? > Alternatively, we can just have a variable that controls whether > passwords are asked for on the command line at all (if sql-password is > unset), which could default to nil, making the security better by > default. I'm not sure what this means, but I guess the above fix should be enough. Perhaps I'm missing something. > BTW, I guess the attack here is that another user process can use > something like strace to snoop on emacs's child processeses and obtain > the mysql password? Well, according to the threads linked earlier this can still be a problem on Solaris, where the password is visible to all users if they just run "ps". Perhaps it's been fixed since whenever these comments were written though... > Stefan Monnier writes: > >>> Apparently, no they cannot, since mysql replaces the password characters >>> with x's: >> >> Of course, that still leaves the chars exposed during a short time window. And as Stefan explains here the password is still exposed during a short time window even on GNU/Linux. AFAIU, it's a possible race attack which it would be nice to avoid. Best regards, Stefan Kangas From debbugs-submit-bounces@debbugs.gnu.org Sat Oct 12 21:51:53 2019 Received: (at 8427) by debbugs.gnu.org; 13 Oct 2019 01:51:53 +0000 Received: from localhost ([127.0.0.1]:34633 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iJT33-0000lE-Ak for submit@debbugs.gnu.org; Sat, 12 Oct 2019 21:51:53 -0400 Received: from mail-qk1-f179.google.com ([209.85.222.179]:33033) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iJT31-0000l1-8z for 8427@debbugs.gnu.org; Sat, 12 Oct 2019 21:51:51 -0400 Received: by mail-qk1-f179.google.com with SMTP id x134so12565410qkb.0 for <8427@debbugs.gnu.org>; Sat, 12 Oct 2019 18:51:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QrDghbDsC+gF7WSd7fHETA9qEEOPnFvrGhMoMr9iT1Q=; b=vOqFpQXB8U/brsvabCLhK0ZJFbcbcf25PAZ5muCxcCMKJWD/y2XEomHZC871JRpalb mzs1o+OOEAqbhKoaqt7crhZ8BV57RgYUaCx9QIZlmTG0FbMFS9xD8x56WUzP8uzhqK6E Nf2ksHPiYiebl2Z06HO+69R3rJ+0gb8ZoYCz6Qr82uoIRm7x1LUP3lpqYUdIEA+4Fnj5 wNIcUB6C2BwGF6IeZTKFalvqSAD7QHkQlFACFZ8GyZJi4dIdSqlVECo1a9yvugrl2986 Tja0R+BKmtd+LHzbaYQs/TfDYnAut55HVjS2alvpV/YDhFtl2bZJ0GxG0S0/XOE0nBCQ yDxw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QrDghbDsC+gF7WSd7fHETA9qEEOPnFvrGhMoMr9iT1Q=; b=eGzP69qnxJapqFTdNJCJSy0lUAR8lEYpqJlw0F7bK/Q06LgPDAZfHOgr4FBMp+GIuD Oh89MqqS2JrD3laxPnk1tv5cEULDC8rm1B/4tmdoy5crWQLtg+pACPb5MzVfT+vszrMG cQUA/Ubv6/rFQK/tt7g9KGt3q4ehGyLK/sgYADGdBXytvd2NE0vLc1YmJXKCmH0pLfcl GA3I8Nf25oIQEebctxa4hwXeL3gDBZyzjs+RcdFFE7SXJgBZftJYf9TFuG5MX/45/rRs gWaJGeV8hcn1v7D3iMW6P4IdhSP6OojDR9BSqmCgRA4vmnvNiuuodBZ3t8DDUGZPZETw M42w== X-Gm-Message-State: APjAAAWQs91T3eVyH4l/70RHGEp91JVZAvSAysQBZGM/qmGk/VrbUEZT 0XYw6n0+la7A2OVlI1XXUS7fv7M/ptNCV6bogbbT18wb X-Google-Smtp-Source: APXvYqymsvgQbwF8RuxTJjtx3C+uFlX3ldBk7fUoljhPfJexk11d4mwDIl4gLphSygaT1ub/2yPjGHLxVyY/X+SWRtw= X-Received: by 2002:a37:7b44:: with SMTP id w65mr23625170qkc.403.1570931505320; Sat, 12 Oct 2019 18:51:45 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Andrew Hyatt Date: Sat, 12 Oct 2019 21:51:33 -0400 Message-ID: Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing To: Stefan Kangas Content-Type: multipart/alternative; boundary="0000000000005758f60594c0fe82" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 8427 Cc: Glenn Morris , 8427@debbugs.gnu.org, Stefan Monnier X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --0000000000005758f60594c0fe82 Content-Type: text/plain; charset="UTF-8" On Sat, Oct 5, 2019 at 11:28 PM Stefan Kangas wrote: > Hi Andrew, > > Andrew Hyatt writes: > > > This is fairly easy to fix - mysql can check to see if the user entered > > a blank for the password prompt, and instead of not sending a password, > > send just the "--password" argument so the user can enter it into the > > process instead of the command line. I have a fix ready to check in > > that works for mysql (I'm not sure which other products support that). > > I think using an empty "--pasword" parameter sounds like the right fix. > That makes mysql prompt for the password, and we could supply it there > instead. I guess that's what you meant? > > Could you perhaps send your patch here for review? > I no longer know where my changes are. It's been a while. But I think I can probably recreate them, which I'll try to do this week. > > > Alternatively, we can just have a variable that controls whether > > passwords are asked for on the command line at all (if sql-password is > > unset), which could default to nil, making the security better by > > default. > > I'm not sure what this means, but I guess the above fix should be > enough. Perhaps I'm missing something. > The idea is that instead of connecting with the --password arg, it can be left out entirely, in which case the program should ask for it (which is secure). > > > BTW, I guess the attack here is that another user process can use > > something like strace to snoop on emacs's child processeses and obtain > > the mysql password? > > Well, according to the threads linked earlier this can still be a > problem on Solaris, where the password is visible to all users if they > just run "ps". Perhaps it's been fixed since whenever these comments > were written though... > > Stefan Monnier writes: > > > >>> Apparently, no they cannot, since mysql replaces the password > characters > >>> with x's: > >> > >> Of course, that still leaves the chars exposed during a short time > window. > > And as Stefan explains here the password is still exposed during a > short time window even on GNU/Linux. AFAIU, it's a possible race > attack which it would be nice to avoid. > Yes, I think the solutions I presented should fix this. Stay tuned for a patch. > > Best regards, > Stefan Kangas > --0000000000005758f60594c0fe82 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Sat, Oct 5, 2019 at 11:28 PM Stefan Ka= ngas <stefan@marxist.se> wro= te:
Hi Andrew,

Andrew Hyatt <ahya= tt@gmail.com> writes:

> This is fairly easy to fix - mysql can check to see if the user entere= d
> a blank for the password prompt, and instead of not sending a password= ,
> send just the "--password" argument so the user can enter it= into the
> process instead of the command line.=C2=A0 I have a fix ready to check= in
> that works for mysql (I'm not sure which other products support th= at).

I think using an empty "--pasword" parameter sounds like the righ= t fix.
That makes mysql prompt for the password, and we could supply it there
instead.=C2=A0 I guess that's what you meant?

Could you perhaps send your patch here for review?
I no longer know where my changes are.=C2=A0 =C2=A0It's bee= n a while.=C2=A0 But I think I can probably recreate them, which I'll t= ry to do this week.
=C2=A0

> Alternatively, we can just have a variable that controls whether
> passwords are asked for on the command line at all (if sql-password is=
> unset), which could default to nil, making the security better by
> default.

I'm not sure what this means, but I guess the above fix should be
enough.=C2=A0 Perhaps I'm missing something.

<= /div>
The idea is that instead of connecting with the --password arg, i= t can be left out entirely, in which case the program should ask for it (wh= ich is secure).=C2=A0=C2=A0
=C2=A0

> BTW, I guess the attack here is that another user process can use
> something like strace to snoop on emacs's child processeses and ob= tain
> the mysql password?

Well, according to the threads linked earlier this can still be a
problem on Solaris, where the password is visible to all users if they
just run "ps".=C2=A0 Perhaps it's been fixed since whenever t= hese comments
were written though...=C2=A0

> Stefan Monnier <monnier@iro.umontreal.ca> writes:
>
>>> Apparently, no they cannot, since mysql replaces the password = characters
>>> with x's:
>>
>> Of course, that still leaves the chars exposed during a short time= window.

And as Stefan explains here the password is still exposed during a
short time window even on GNU/Linux.=C2=A0 AFAIU, it's a possible race<= br> attack which it would be nice to avoid.

Yes, I think the solutions I presented should fix this.=C2=A0 Stay tuned f= or a patch.
=C2=A0

Best regards,
Stefan Kangas
--0000000000005758f60594c0fe82-- From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 13 18:09:34 2019 Received: (at 8427) by debbugs.gnu.org; 13 Oct 2019 22:09:34 +0000 Received: from localhost ([127.0.0.1]:37252 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iJm3S-0008AI-9b for submit@debbugs.gnu.org; Sun, 13 Oct 2019 18:09:34 -0400 Received: from mail-pf1-f173.google.com ([209.85.210.173]:39207) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iJm3Q-0008A1-Mt for 8427@debbugs.gnu.org; Sun, 13 Oct 2019 18:09:33 -0400 Received: by mail-pf1-f173.google.com with SMTP id v4so9253951pff.6 for <8427@debbugs.gnu.org>; Sun, 13 Oct 2019 15:09:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SXYp6D0pqlXjs+s08P6K15O90c+YmTuR13Dy8wPR8E4=; b=idqkDbHSvIFxi9lh9NDCcR0V0/ngFTptA764tDcP6LEUT1a9gigsm4hemDl1sjZOXM nZyuzSti9QmTo4IPoNeY3uJ3VMWmWDeEHqxkgPQWrEE/Omad2eRCCgvfrEVumvkKB7/p mOHUFoLILDImbNhYV0aK5+mt8A9bD8qPxo56jzEGJlXhTkKQyZ1sfgvP8Vh/0bnL519u mjdHybNSV0Nl64EMm506ABwPSjg6MQT62U3Xe/J17dX5w55yACJ/QO5KJSuvn0IWmczv 8CvhUDfv3V0yubu0uLIgoeYDjUqIj5B5rvuDRYqSjzouvB508C5Qua1Ac9yH6Vfxydov 9cZQ== X-Gm-Message-State: APjAAAWAs53zAUwRhnk7XM79viXA0Tz30pNFOcw4uv5fMvSRTVh2dT3h S2qeXx2XGAIe7oom2iGy+nTKrdWExfBdXPLNrjQ= X-Google-Smtp-Source: APXvYqz8vCCb73luifrSvN1327UkZ3cnzWStrH9EKWAoZaMU3jvKjD190PCWX8wMQzQG9fXErhfH698hc9nPtBQyePg= X-Received: by 2002:a17:90a:f491:: with SMTP id bx17mr32911730pjb.106.1571004566754; Sun, 13 Oct 2019 15:09:26 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Stefan Kangas Date: Mon, 14 Oct 2019 00:09:14 +0200 Message-ID: Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing To: Andrew Hyatt Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 8427 Cc: Glenn Morris , 8427@debbugs.gnu.org, Stefan Monnier X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) Andrew Hyatt writes: >> Could you perhaps send your patch here for review? > > I no longer know where my changes are. It's been a while. But I think I can probably recreate them, which I'll try to do this week. [...] > The idea is that instead of connecting with the --password arg, it can be left out entirely, in which case the program should ask for it (which is secure). Sounds good, thanks. Best regards, Stefan Kangas From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 20 11:58:19 2019 Received: (at 8427) by debbugs.gnu.org; 20 Oct 2019 15:58:19 +0000 Received: from localhost ([127.0.0.1]:55140 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMDb1-0006Bw-9F for submit@debbugs.gnu.org; Sun, 20 Oct 2019 11:58:19 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:45770) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMDay-0006Bb-KF for 8427@debbugs.gnu.org; Sun, 20 Oct 2019 11:58:17 -0400 Received: by mail-pg1-f193.google.com with SMTP id r1so6106081pgj.12 for <8427@debbugs.gnu.org>; Sun, 20 Oct 2019 08:58:16 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=cKTT5+32tBDwnKd+2dqtMQ1vK7X91AhV+Fq+zYig430=; b=PWa6nheGpUbtd3REqNJH4vgHFInf03V+pWnAxsMiXz5HH18G2qmCwvwSvmfw/wAabW O8CESPu8MR8YaC3lxpOdhx1op4JS60X9lv3v9oy1BSysA5qVllEbj9NsnJPTtgUIcBi4 uUMj5OhBzy2Ef1tgjCJR8vTYQErLkWh0VGhu7X2Yx/SUmjr1oWBM22J6v3kqrfGFhcwi jc7ZW4rgl71IS8cvgzv8EtO2j4cu3oq60pTgIhokMEMBLZxXh4+jFFW5qLfLktwgXrBx TyyK+f0/E5t2QVhui269LMs0xT/gAQB1DP3zjL/Mf1vdTp5gS3JYaPdMeF5WumBTgyKd +L4Q== X-Gm-Message-State: APjAAAUCTxz/oBUbqv/OZ2YwnheyEM738MSEdViBVPPlr+CahpOV9N/q zQqm5kqaZJtjNl305d7Q12ADl/WKrGyjUo2/UmbWoQ== X-Google-Smtp-Source: APXvYqzFhY8m7Y7o9ge7x3tWl2px6i0mx9pF8oWJbRTKpdjMcVLBpsRG4Ug5jqc9p0sAo83rg1iWFVgyotDXQWVoT4I= X-Received: by 2002:aa7:80c6:: with SMTP id a6mr17683651pfn.107.1571587090268; Sun, 20 Oct 2019 08:58:10 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Stefan Kangas Date: Sun, 20 Oct 2019 17:57:58 +0200 Message-ID: Subject: Fwd: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing To: 8427@debbugs.gnu.org Content-Type: multipart/mixed; boundary="0000000000003fdfbd059559a2ce" X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: 8427 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) --0000000000003fdfbd059559a2ce Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable ---------- Forwarded message --------- From: Andrew Hyatt Date: l=C3=B6r 19 okt. 2019 kl 04:07 Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing To: Stefan Kangas I'm attaching the fix. The fix for MySQL was fairly straightforward. I tried it out, and it works. I looked through sql.el for similar issues, and was able to fix Vertica as well, although I've never heard of Vertica before and couldn't test it out. Parameters were set according to the docs at https://www.vertica.com/docs/9.2.x/HTML/Content/Authoring/ConnectingToVerti= ca/vsql/CommandLineOptions.htm, which does match the existing code. If this looks good to you, I will submit it (I have commit access). Stefan Kangas writes: > Andrew Hyatt writes: > >>> Could you perhaps send your patch here for review? >> >> I no longer know where my changes are. It's been a while. But I think= I can probably recreate them, which I'll try to do this week. > [...] >> The idea is that instead of connecting with the --password arg, it can b= e left out entirely, in which case the program should ask for it (which is = secure). > > Sounds good, thanks. > > Best regards, > Stefan Kangas --0000000000003fdfbd059559a2ce Content-Type: application/x-patch; name="0001-Enable-password-less-connections-for-sql-where-possi.patch" Content-Disposition: attachment; filename="0001-Enable-password-less-connections-for-sql-where-possi.patch" Content-Transfer-Encoding: base64 Content-ID: <16de9e3456edcde19c31> X-Attachment-Id: 16de9e3456edcde19c31 RnJvbSBjYzBiYjE0NTRiMDkwZWJhYWQ5ZjAxZjUwOGE0ZmU1OTg0NDYzZmNlIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQ0KRnJvbTogQW5kcmV3IEh5YXR0IDxhaHlhdHRAZ21haWwuY29tPg0KRGF0 ZTogRnJpLCAxOCBPY3QgMjAxOSAyMTo1Njo1MiAtMDQwMA0KU3ViamVjdDogW1BBVENIXSBFbmFi bGUgcGFzc3dvcmQtbGVzcyBjb25uZWN0aW9ucyBmb3Igc3FsIHdoZXJlIHBvc3NpYmxlLg0KDQoq IGxpc3AvcHJvZ21vZGVzL3NxbC5lbCAoc3FsLWNvbWludC1teXNxbCwgc3FsLWNvbWludC12ZXJ0 aWNhKToNCiAgV2hlbiBhIGJsYW5rIHBhc3N3b3JkIGlzIHByb3ZpZGVkIChub3QgZW50ZXJlZCBi eSB0aGUgdXNlciksIHNlbmQgYW4NCiAgYXJndW1lbnQgdG8gc2lnbmFsIHRvIHRoZSBTUUwgcHJv Y2VzcyB0byByZWFkIHRoZSBwYXNzd29yZCBpbnNpZGUNCiAgdGhlIHByb2Nlc3MuICBUaGlzIHJl bW92ZXMgdGhlIHNsaWdodCBjaGFuY2UgdGhhdCBzb21lb25lIGNhbiBzcHkNCiAgb24gdGhlIHBh c3N3b3JkIGZyb20gcHMgb3IgdmlhIG90aGVyIG1ldGhvZHMuDQotLS0NCiBsaXNwL3Byb2dtb2Rl cy9zcWwuZWwgfCA4ICsrKysrLS0tDQogMSBmaWxlIGNoYW5nZWQsIDUgaW5zZXJ0aW9ucygrKSwg MyBkZWxldGlvbnMoLSkNCg0KZGlmZiAtLWdpdCBhL2xpc3AvcHJvZ21vZGVzL3NxbC5lbCBiL2xp c3AvcHJvZ21vZGVzL3NxbC5lbA0KaW5kZXggYjE3MzY0YjA4Zi4uNjQzOWE1OTYzMyAxMDA2NDQN Ci0tLSBhL2xpc3AvcHJvZ21vZGVzL3NxbC5lbA0KKysrIGIvbGlzcC9wcm9nbW9kZXMvc3FsLmVs DQpAQCAtNTE4OCw3ICs1MTg4LDggQEAgVGhlIGRlZmF1bHQgY29tZXMgZnJvbSBgcHJvY2Vzcy1j b2Rpbmctc3lzdGVtLWFsaXN0JyBhbmQNCiAgICAgICAgICAgKGlmIChub3QgKHN0cmluZz0gIiIg c3FsLXVzZXIpKQ0KICAgICAgICAgICAgICAgKGxpc3QgKGNvbmNhdCAiLS11c2VyPSIgc3FsLXVz ZXIpKSkNCiAgICAgICAgICAgKGlmIChub3QgKHN0cmluZz0gIiIgc3FsLXBhc3N3b3JkKSkNCi0g ICAgICAgICAgICAgIChsaXN0IChjb25jYXQgIi0tcGFzc3dvcmQ9IiBzcWwtcGFzc3dvcmQpKSkN CisgICAgICAgICAgICAgIChsaXN0IChjb25jYXQgIi0tcGFzc3dvcmQ9IiBzcWwtcGFzc3dvcmQp KQ0KKyAgICAgICAgICAgIChsaXN0ICItLXBhc3N3b3JkIikpDQogICAgICAgICAgIChpZiAobm90 ICg9IDAgc3FsLXBvcnQpKQ0KICAgICAgICAgICAgICAgKGxpc3QgKGNvbmNhdCAiLS1wb3J0PSIg KG51bWJlci10by1zdHJpbmcgc3FsLXBvcnQpKSkpDQogICAgICAgICAgIChpZiAobm90IChzdHJp bmc9ICIiIHNxbC1zZXJ2ZXIpKQ0KQEAgLTU2NDgsOCArNTY0OSw5IEBAIFRoZSBkZWZhdWx0IHZh bHVlIGRpc2FibGVzIHRoZSBpbnRlcm5hbCBwYWdlci4iDQogICAgICAgICAgICAgICAgICAgICAo bGlzdCAiLWgiIHNxbC1zZXJ2ZXIpKQ0KICAgICAgICAgICAgICAgIChhbmQgKG5vdCAoc3RyaW5n PSAiIiBzcWwtZGF0YWJhc2UpKQ0KICAgICAgICAgICAgICAgICAgICAgKGxpc3QgIi1kIiBzcWwt ZGF0YWJhc2UpKQ0KLSAgICAgICAgICAgICAgIChhbmQgKG5vdCAoc3RyaW5nPSAiIiBzcWwtcGFz c3dvcmQpKQ0KLSAgICAgICAgICAgICAgICAgICAgKGxpc3QgIi13IiBzcWwtcGFzc3dvcmQpKQ0K KyAgICAgICAgICAgICAgIChpZiAobm90IChzdHJpbmc9ICIiIHNxbC1wYXNzd29yZCkpDQorICAg ICAgICAgICAgICAgICAgIChsaXN0ICItdyIgc3FsLXBhc3N3b3JkKQ0KKyAgICAgICAgICAgICAg ICAgIi1XIikNCiAgICAgICAgICAgICAgICAoYW5kIChub3QgKHN0cmluZz0gIiIgc3FsLXVzZXIp KQ0KICAgICAgICAgICAgICAgICAgICAgKGxpc3QgIi1VIiBzcWwtdXNlcikpDQogICAgICAgICAg ICAgICAgb3B0aW9ucykNCi0tIA0KMi4xOS4wLjYwNS5nMDFkMzcxZjc0MS1nb29nDQoNCg== --0000000000003fdfbd059559a2ce-- From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 20 12:02:59 2019 Received: (at 8427) by debbugs.gnu.org; 20 Oct 2019 16:02:59 +0000 Received: from localhost ([127.0.0.1]:55147 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMDfX-0006Ju-CN for submit@debbugs.gnu.org; Sun, 20 Oct 2019 12:02:59 -0400 Received: from mail-pg1-f194.google.com ([209.85.215.194]:40321) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMDfV-0006Jf-A4 for 8427@debbugs.gnu.org; Sun, 20 Oct 2019 12:02:57 -0400 Received: by mail-pg1-f194.google.com with SMTP id 15so776113pgt.7 for <8427@debbugs.gnu.org>; Sun, 20 Oct 2019 09:02:57 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Pjn3T/7OxytZDTujTYqC/HiRF0CUHbSMgTmMD9O8sjs=; b=kKF7rVlon2W5KW0/oIic3R4j83CppjKRdWQTIZafjGWgI5wdELA9uDgO7XF0bwD2Me qxdeq6KfCCR8kKYuz/+ifOhCtqaznGBnBNxkAyIOzFQBAZGIytHntF8j/FK5G+woBv/I VsrvNYQGCvC6fwgAPilh69u58k/0Pc2EK9PEq6LEe9IGAK3uXtpO3zvyIX8tUzSLA5+r dQvoXW7N8co/iDWj13syRZ/2YKQs3xM1N6vcFzPOEfSH13ZUIN9q2ItSFtKcBj0h3oeN Qzl2SYcPmRHHiuDzYxKpFdCDyFL4ItA5FJgVTY52pZQBMNsxdXuwl5XFfkeGP4IqJ+nC FYGA== X-Gm-Message-State: APjAAAUPrUssyAMLQGaXPJm8Y49baROrO1C2vQytB0dW161DyXlUvSKr EldedR27PzSfOThgOR5cRRVe1MRhgQuZk5vYKdZeYFY4 X-Google-Smtp-Source: APXvYqxSZA0Yu1v/vQcBkO8KoCe5PCyXPNpZ20urY8USj7gUYKlapZV4mX1M7D6BmDfGNV6w3LkQ3iuwuAZ/anLEJi4= X-Received: by 2002:a63:cd18:: with SMTP id i24mr3022310pgg.333.1571587371255; Sun, 20 Oct 2019 09:02:51 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Stefan Kangas Date: Sun, 20 Oct 2019 18:02:40 +0200 Message-ID: Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing To: 8427@debbugs.gnu.org, Andrew Hyatt Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: 8427 Cc: Michael Mauger X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) (Please keep the bug address in Cc.) Andrew Hyatt writes: > I'm attaching the fix. The fix for MySQL was fairly straightforward. I > tried it out, and it works. I'm not sure this is the right fix. How is the user to know that the correct thing is to provide an empty password when prompted for it? Why do we even prompt for the password then? Also, what if a user wants to login to an account that has no password? Should we really pass the "--password" parameter in that case? Does that work? I think something like this would be better: 1. Keep the password prompt. 2. Use the naked "--password" parameter only when the user *has* entered a password, and use nothing when the user entered nothing. 3. Never use the "--password=" parameter. 4. When mysql prompts for the password, send it to the process automatically, without user interaction. > I looked through sql.el for similar issues, > and was able to fix Vertica as well, although I've never heard of > Vertica before and couldn't test it out. Parameters were set according > to the docs at > https://www.vertica.com/docs/9.2.x/HTML/Content/Authoring/ConnectingToVertica/vsql/CommandLineOptions.htm, > which does match the existing code. Unless someone can test it, perhaps we should leave out the Vertica part? Thanks for working on this. Best regards, Stefan Kangas From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 20 20:56:50 2019 Received: (at 8427) by debbugs.gnu.org; 21 Oct 2019 00:56:50 +0000 Received: from localhost ([127.0.0.1]:55499 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMM08-00007b-EL for submit@debbugs.gnu.org; Sun, 20 Oct 2019 20:56:50 -0400 Received: from mail-qt1-f174.google.com ([209.85.160.174]:33857) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMM06-00007M-FE for 8427@debbugs.gnu.org; Sun, 20 Oct 2019 20:56:46 -0400 Received: by mail-qt1-f174.google.com with SMTP id 3so18412847qta.1 for <8427@debbugs.gnu.org>; Sun, 20 Oct 2019 17:56:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=WNX/WVq8cA+HormgP9pRPbnsxXtcFbZBjP8q/zN6NoY=; b=Hep5ieDTwWkqnVgB5KZMuJJ4nodlP3Mj5JwRrHpAFbHSFiqH50/Dc8GyO4XDBXrL6s HY2MJrPw7/ZD1hv1reXl88znYOUn6DoGoTX0goCKc3r4ZZu2pSw2ywNSXSYF+3lpJFTF GA0/1UGzSU+btamQcpkj/yjjS0EKiP3gqvTMeA4EONncVeP2p/GmQO9uPOk05stO3ma/ OuomZXOML9Y0oI7eTyJIqvhYteT4bvAau3Mm/3CB9r4wFiqN8t+MEnw2XkAcQlBE0xJ9 cKGAugP66w5M2tT6oY9VrqZIltzThLpRUnZNUpUngDrG8wUvrTgVPnziKv4A+4DUYygE BlmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=WNX/WVq8cA+HormgP9pRPbnsxXtcFbZBjP8q/zN6NoY=; b=oBPoqwLMjd7pE4s2m4DN1nw8ZOy2nBtobhbLrMABxPMLXa1vZG1KiVTG3cqqujlLfA FzIJNhrp1uMAvxTU9yNY0wlNpCd/uQUKPCzrvD6wlve3lw73710xmwrIt2IxFxIVSMbT nTldBjfq4gjFfDaq8qLdtKnv2pRqFKSfVUiW+gJojv5JXtUuKDI1Mtkn+Ly5hkn8Ibe/ erLHp8Zmx5/nQrz5ad1Rx7B4/YXnlGE3krUR+yW8hhxt6iNONgpQ13gVcb/isCl5sP2S v3kTDHezCH63TILNcNpwSU3nQJVXmtlhPtXsthvxk4trhYCsmTlm0oemij5w9FZ4BEuW 56QQ== X-Gm-Message-State: APjAAAUC7RWrQHDQ0obweIoOCew61PMi39sxTODDAqqChueAL4mhKr/W rAg4lsBZIluUdKv5myY384Bv6G4z7Ks= X-Google-Smtp-Source: APXvYqyldFOtcE8taE9csQT1IpdQCGuZrQw1hA0RUFgfjc3vjx0jP70s4/pAXtry+npoyoeBSxqV6A== X-Received: by 2002:ac8:3408:: with SMTP id u8mr22222992qtb.380.1571619400593; Sun, 20 Oct 2019 17:56:40 -0700 (PDT) Received: from ahyatt-macbookpro6.roam.corp.google.com (ec2-52-55-121-20.compute-1.amazonaws.com. [52.55.121.20]) by smtp.gmail.com with ESMTPSA id l185sm7678293qkd.20.2019.10.20.17.56.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 20 Oct 2019 17:56:39 -0700 (PDT) From: Andrew Hyatt To: Stefan Kangas Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing References: Date: Sun, 20 Oct 2019 20:56:32 -0400 In-Reply-To: (Stefan Kangas's message of "Sun, 20 Oct 2019 18:02:40 +0200") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (darwin) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 8427 Cc: Michael Mauger , 8427@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain Thanks for the insightful comments - yes, everything you say makes sense. I've implemented what you describe. However, I'm a little unsure of this one - I had to advise a comint primitive and even re-implement part of an existing comint function. It feels like comint should perhaps have a way to do this sort of thing within itself, but I couldn't find any. I've attached the latest revision. --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-Enable-password-less-connections-for-sql-where-possi.patch Content-Description: Draft 2 of mysql patch >From 610d4d8c9bb5f04a86afc8a63b671bd035d24e36 Mon Sep 17 00:00:00 2001 From: Andrew Hyatt Date: Fri, 18 Oct 2019 21:56:52 -0400 Subject: [PATCH] Enable password-less connections for sql where possible. * lisp/progmodes/sql.el (sql-comint-mysql): When a blank password is provided (not entered by the user), send an argument to signal to the SQL process to read the password inside the process. This removes the slight chance that someone can spy on the password from ps or via other methods. We also watch for the password inside the SQL process and automatically fill it with `sql-password' (if it exists). --- lisp/progmodes/sql.el | 42 +++++++++++++++++++++++++++++++----------- 1 file changed, 31 insertions(+), 11 deletions(-) diff --git a/lisp/progmodes/sql.el b/lisp/progmodes/sql.el index b17364b08f..c453de382d 100644 --- a/lisp/progmodes/sql.el +++ b/lisp/progmodes/sql.el @@ -160,13 +160,16 @@ ;; "Connect ti XyzDB in a comint buffer." ;; ;; ;; Do something with `sql-user', `sql-password', -;; ;; `sql-database', and `sql-server'. +;; ;; `sql-database', and `sql-server'. `sql-password' will +;; ;; be sent automatically if not sent in the command-line. +;; ;; It is recommended to avoid sending in the command-line +;; ;; if possible, since this can briefly expose passwords. ;; (let ((params ;; (append ;; (if (not (string= "" sql-user)) ;; (list "-U" sql-user)) ;; (if (not (string= "" sql-password)) -;; (list "-P" sql-password)) +;; (list "-P")) ;; (if (not (string= "" sql-database)) ;; (list "-D" sql-database)) ;; (if (not (string= "" sql-server)) @@ -4664,8 +4667,8 @@ the call to \\[sql-product-interactive] with (sql-database (default-value 'sql-database)) (sql-port (default-value 'sql-port)) (default-directory - (or sql-default-directory - default-directory))) + (or sql-default-directory + default-directory))) ;; The password wallet returns a function which supplies the password. (when (functionp sql-password) @@ -4681,9 +4684,9 @@ the call to \\[sql-product-interactive] with (sql-generate-unique-sqli-buffer-name product nil)) ((consp new-name) (sql-generate-unique-sqli-buffer-name product - (read-string - "Buffer name (\"*SQL: XXX*\"; enter `XXX'): " - (sql-make-alternate-buffer-name product)))) + (read-string + "Buffer name (\"*SQL: XXX*\"; enter `XXX'): " + (sql-make-alternate-buffer-name product)))) ((stringp new-name) (if (or (string-prefix-p " " new-name) (string-match-p "\\`[*].*[*]\\'" new-name)) @@ -4733,12 +4736,27 @@ the call to \\[sql-product-interactive] with (get-buffer new-sqli-buffer))))) (user-error "No default SQL product defined: set `sql-product'"))) +(define-advice comint-watch-for-password-prompt + (:around (inner-func string) sql-password-autopopulate) + "Intercept password prompts when we know the password. This +must also do the job of detecting password prompts. STRING is +the potential password prompt. INNER-FUNC is the previous +definition of comint-watch-for-password-prompt, which is called +only when there is no prefilled password." + (if (and + (eq major-mode 'sql-interactive-mode) + (not (string= "" sql-password)) + (let ((case-fold-search t)) + (string-match comint-password-prompt-regexp string))) + (funcall comint-input-sender (get-buffer-process (current-buffer)) sql-password) + (funcall inner-func string))) + (defun sql-comint (product params &optional buf-name) "Set up a comint buffer to run the SQL processor. -PRODUCT is the SQL product. PARAMS is a list of strings which are -passed as command line arguments. BUF-NAME is the name of the new -buffer. If nil, a name is chosen for it." +PRODUCT is the SQL product. PARAMS is a list of strings which +are passed as command line arguments. BUF-NAME is the name of +the new buffer. If nil, a name is chosen for it." (let ((program (sql-get-product-feature product :sqli-program))) ;; Make sure we can find the program. `executable-find' does not @@ -5188,7 +5206,9 @@ The default comes from `process-coding-system-alist' and (if (not (string= "" sql-user)) (list (concat "--user=" sql-user))) (if (not (string= "" sql-password)) - (list (concat "--password=" sql-password))) + ;; Sending --password will make MySQL prompt for the + ;; password. + (list "--password")) (if (not (= 0 sql-port)) (list (concat "--port=" (number-to-string sql-port)))) (if (not (string= "" sql-server)) -- 2.19.0.605.g01d371f741-goog --=-=-= Content-Type: text/plain Stefan Kangas writes: > (Please keep the bug address in Cc.) > > Andrew Hyatt writes: > >> I'm attaching the fix. The fix for MySQL was fairly straightforward. I >> tried it out, and it works. > > I'm not sure this is the right fix. How is the user to know that the > correct thing is to provide an empty password when prompted for it? > Why do we even prompt for the password then? > > Also, what if a user wants to login to an account that has no > password? Should we really pass the "--password" parameter in that > case? Does that work? > > I think something like this would be better: > > 1. Keep the password prompt. > 2. Use the naked "--password" parameter only when the user *has* > entered a password, and use nothing when the user entered nothing. > 3. Never use the "--password=" parameter. > 4. When mysql prompts for the password, send it to the process > automatically, without user interaction. > >> I looked through sql.el for similar issues, >> and was able to fix Vertica as well, although I've never heard of >> Vertica before and couldn't test it out. Parameters were set according >> to the docs at >> https://www.vertica.com/docs/9.2.x/HTML/Content/Authoring/ConnectingToVertica/vsql/CommandLineOptions.htm, >> which does match the existing code. > > Unless someone can test it, perhaps we should leave out the Vertica part? > > Thanks for working on this. > > Best regards, > Stefan Kangas --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 21 16:33:29 2019 Received: (at 8427) by debbugs.gnu.org; 21 Oct 2019 20:33:29 +0000 Received: from localhost ([127.0.0.1]:57915 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMeMq-0000KU-IB for submit@debbugs.gnu.org; Mon, 21 Oct 2019 16:33:29 -0400 Received: from mail1.protonmail.ch ([185.70.40.18]:36760) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMeMn-0000KB-Fp for 8427@debbugs.gnu.org; Mon, 21 Oct 2019 16:33:27 -0400 Date: Mon, 21 Oct 2019 20:33:09 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1571689997; bh=4tNcADZanlgb9pzpTwfvnZFPhAWq4bdKm6AV0p5vrns=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=FSMVPxcKIOsv/prpQysKVuj3dMf3D8T5HaIyxYDt2ryKj99VQXSRo7pjBJalj7TUq uQyDmfeeq94GyOX5e5YcxSywxMprzV5U80NZxC1YpDzxchuwaJVcmjLJPllUksBi4Y DMIaafYdb1E5rhUw6n38uLvKO7/F6J5r4E99NQxY= To: Andrew Hyatt From: Michael Mauger Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing Message-ID: <-DPnoQRPO3mztTMZP0CLEkVHEueQfRbf1NL2NMBa_alnqjzctP5kLNyD-Gd_yioQqTu-QiEXfLGzidBeSrX0jY_-tlyrBEnMU5Mo5febRng=@protonmail.com> In-Reply-To: References: Feedback-ID: b6CpL0MxcIA6fpHRkn3ZHzWS0Hoqxbtv_SrHfEzC9D85cLvnRsVk4rKaAOJUw48iy20W0W1VX4whjBYFluIX0w==:Ext:ProtonMail MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="b1_666fb35d4512ad34fba23ab12246cdf9" X-Spam-Status: No, score=-1.2 required=7.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.protonmail.ch X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 8427 Cc: "8427@debbugs.gnu.org" <8427@debbugs.gnu.org>, Stefan Kangas X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Michael Mauger Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) This is a multi-part message in MIME format. --b1_666fb35d4512ad34fba23ab12246cdf9 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me= ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 On Sunday, October 20, 2019 8:56 PM, Andrew Hyatt wrote: > > > Thanks for the insightful comments - yes, everything you say makes > sense. I've implemented what you describe. However, I'm a little unsure > of this one - I had to advise a comint primitive and even re-implement > part of an existing comint function. It feels like comint should perhaps > have a way to do this sort of thing within itself, but I couldn't find > any. > > I've attached the latest revision. > > Stefan Kangas stefan@marxist.se writes: > > > (Please keep the bug address in Cc.) > > Andrew Hyatt ahyatt@gmail.com writes: > > > > > I'm attaching the fix. The fix for MySQL was fairly straightforward. = I > > > tried it out, and it works. > > > > I'm not sure this is the right fix. How is the user to know that the > > correct thing is to provide an empty password when prompted for it? > > Why do we even prompt for the password then? > > Also, what if a user wants to login to an account that has no > > password? Should we really pass the "--password" parameter in that > > case? Does that work? > > I think something like this would be better: > > > > 1. Keep the password prompt. > > 2. Use the naked "--password" parameter only when the user has > > entered a password, and use nothing when the user entered nothing. > > > > 3. Never use the "--password=3D" parameter. > > 4. When mysql prompts for the password, send it to the process > > automatically, without user interaction. > > > > > > > I looked through sql.el for similar issues, > > > and was able to fix Vertica as well, although I've never heard of > > > Vertica before and couldn't test it out. Parameters were set accordin= g > > > to the docs at > > > https://www.vertica.com/docs/9.2.x/HTML/Content/Authoring/ConnectingT= oVertica/vsql/CommandLineOptions.htm, > > > which does match the existing code. > > > > Unless someone can test it, perhaps we should leave out the Vertica par= t? > > Thanks for working on this. > > Best regards, > > Stefan Kangas I have tried a couple of different versions of this in the past but have fo= und a lot of corner cases that made me back off. Some thoughts: * The login-params function will set `sql-password' to nil if it isn't a pa= rameter being prompted for and is not set otherwise. If it is prompted for = and empty the variable will be an empty string not nil. We need some test c= ases written to confirm that the behavior is as we expect. Small shell scri= pts can be created to simulate the SQL processor for the general flow. The = test scripts should be included in the commit for this feature. * Only supply the password using the comint password filter if support for = passing the password on stdin is supported and expected in this instance. T= his would probably be a flag set in the `sql-PRODUCT-comint-func' (based on= the command line logic) and set as a buffer local in the buffer. The comin= t filter would then check the flag before trying to stuff the password into= the stream. That avoids sending a database password to a prompt that is fo= r other purposes. Also does this have to be advice to the comint filter or = just another filter installed on the comint hook? (Policy is that standard = Emacs packages do not use advice and the hook is present and used by the ex= isting hook.) * Only send the password to the first time a password is asked for. Some in= teractive sql processes allow changing the connection mid-session and the p= assword for the original username may not be appropriate for the new connec= tion they made. This is especially true in enterprise environments where pa= ssword failures can be set to disable the database user. * Please do not alter indenting of existing code not involved in the change= ; the indentation is deliberate in some cases and the spurious changes just= generate noise in the diffs. Thanks. * Are we adding a flag to the `sql-product-alist' to indicate that password= s may be passed via stdin? I would recommend that we do so because that way= it can be globally disabled if the environment calls for it. For example, = a user may want to supply it on the command line because it is not a concen= in their environment. Some database products support passing the password = this way, but also alter the command line parameters to mask out the actual= password so that the `ps' exposure is fairly small. Thanks working on this but I'm still concerned that we could break existing= use of sql-interactive-mode unintentionally. -- MICHAEL@MAUGER.COM // FSF and EFF member // GNU Emacs sql.el maintainer --b1_666fb35d4512ad34fba23ab12246cdf9 Content-Type: text/x-patch; name="0001-Enable-password-less-connections-for-sql-where-possi.patch" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=0001-Enable-password-less-connections-for-sql-where-possi.patch RnJvbSA2MTBkNGQ4YzliYjVmMDRhODZhZmM4YTYzYjY3MWJkMDM1ZDI0ZTM2IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgSHlhdHQgPGFoeWF0dEBnbWFpbC5jb20+CkRhdGU6 IEZyaSwgMTggT2N0IDIwMTkgMjE6NTY6NTIgLTA0MDAKU3ViamVjdDogW1BBVENIXSBFbmFibGUg cGFzc3dvcmQtbGVzcyBjb25uZWN0aW9ucyBmb3Igc3FsIHdoZXJlIHBvc3NpYmxlLgoKKiBsaXNw L3Byb2dtb2Rlcy9zcWwuZWwgKHNxbC1jb21pbnQtbXlzcWwpOgogIFdoZW4gYSBibGFuayBwYXNz d29yZCBpcyBwcm92aWRlZCAobm90IGVudGVyZWQgYnkgdGhlIHVzZXIpLCBzZW5kIGFuCiAgYXJn dW1lbnQgdG8gc2lnbmFsIHRvIHRoZSBTUUwgcHJvY2VzcyB0byByZWFkIHRoZSBwYXNzd29yZCBp bnNpZGUKICB0aGUgcHJvY2Vzcy4gIFRoaXMgcmVtb3ZlcyB0aGUgc2xpZ2h0IGNoYW5jZSB0aGF0 IHNvbWVvbmUgY2FuIHNweQogIG9uIHRoZSBwYXNzd29yZCBmcm9tIHBzIG9yIHZpYSBvdGhlciBt ZXRob2RzLgoKICBXZSBhbHNvIHdhdGNoIGZvciB0aGUgcGFzc3dvcmQgaW5zaWRlIHRoZSBTUUwg cHJvY2VzcyBhbmQKICBhdXRvbWF0aWNhbGx5IGZpbGwgaXQgd2l0aCBgc3FsLXBhc3N3b3JkJyAo aWYgaXQgZXhpc3RzKS4KLS0tCiBsaXNwL3Byb2dtb2Rlcy9zcWwuZWwgfCA0MiArKysrKysrKysr KysrKysrKysrKysrKysrKysrKysrLS0tLS0tLS0tLS0KIDEgZmlsZSBjaGFuZ2VkLCAzMSBpbnNl cnRpb25zKCspLCAxMSBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9saXNwL3Byb2dtb2Rlcy9z cWwuZWwgYi9saXNwL3Byb2dtb2Rlcy9zcWwuZWwKaW5kZXggYjE3MzY0YjA4Zi4uYzQ1M2RlMzgy ZCAxMDA2NDQKLS0tIGEvbGlzcC9wcm9nbW9kZXMvc3FsLmVsCisrKyBiL2xpc3AvcHJvZ21vZGVz L3NxbC5lbApAQCAtMTYwLDEzICsxNjAsMTYgQEAKIDs7ICAgICAgICJDb25uZWN0IHRpIFh5ekRC IGluIGEgY29taW50IGJ1ZmZlci4iCiA7OwogOzsgICAgICAgICA7OyBEbyBzb21ldGhpbmcgd2l0 aCBgc3FsLXVzZXInLCBgc3FsLXBhc3N3b3JkJywKLTs7ICAgICAgICAgOzsgYHNxbC1kYXRhYmFz ZScsIGFuZCBgc3FsLXNlcnZlcicuCis7OyAgICAgICAgIDs7IGBzcWwtZGF0YWJhc2UnLCBhbmQg YHNxbC1zZXJ2ZXInLiAgYHNxbC1wYXNzd29yZCcgd2lsbAorOzsgICAgICAgICA7OyBiZSBzZW50 IGF1dG9tYXRpY2FsbHkgaWYgbm90IHNlbnQgaW4gdGhlIGNvbW1hbmQtbGluZS4KKzs7ICAgICAg ICAgOzsgSXQgaXMgcmVjb21tZW5kZWQgdG8gYXZvaWQgc2VuZGluZyBpbiB0aGUgY29tbWFuZC1s aW5lCis7OyAgICAgICAgIDs7IGlmIHBvc3NpYmxlLCBzaW5jZSB0aGlzIGNhbiBicmllZmx5IGV4 cG9zZSBwYXNzd29yZHMuCiA7OyAgICAgICAgIChsZXQgKChwYXJhbXMKIDs7ICAgICAgICAgICAg ICAgIChhcHBlbmQKIDs7ICAgICAgICAgICAoaWYgKG5vdCAoc3RyaW5nPSAiIiBzcWwtdXNlcikp CiA7OyAgICAgICAgICAgICAgICAgICAgIChsaXN0ICItVSIgc3FsLXVzZXIpKQogOzsgICAgICAg ICAgICAgICAgIChpZiAobm90IChzdHJpbmc9ICIiIHNxbC1wYXNzd29yZCkpCi07OyAgICAgICAg ICAgICAgICAgICAgIChsaXN0ICItUCIgc3FsLXBhc3N3b3JkKSkKKzs7ICAgICAgICAgICAgICAg ICAgICAgKGxpc3QgIi1QIikpCiA7OyAgICAgICAgICAgICAgICAgKGlmIChub3QgKHN0cmluZz0g IiIgc3FsLWRhdGFiYXNlKSkKIDs7ICAgICAgICAgICAgICAgICAgICAgKGxpc3QgIi1EIiBzcWwt ZGF0YWJhc2UpKQogOzsgICAgICAgICAgICAgICAgIChpZiAobm90IChzdHJpbmc9ICIiIHNxbC1z ZXJ2ZXIpKQpAQCAtNDY2NCw4ICs0NjY3LDggQEAgdGhlIGNhbGwgdG8gXFxbc3FsLXByb2R1Y3Qt aW50ZXJhY3RpdmVdIHdpdGgKICAgICAgICAgICAgICAgICAgICAgKHNxbC1kYXRhYmFzZSAgIChk ZWZhdWx0LXZhbHVlICdzcWwtZGF0YWJhc2UpKQogICAgICAgICAgICAgICAgICAgICAoc3FsLXBv cnQgICAgICAgKGRlZmF1bHQtdmFsdWUgJ3NxbC1wb3J0KSkKICAgICAgICAgICAgICAgICAgICAg KGRlZmF1bHQtZGlyZWN0b3J5Ci0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAo b3Igc3FsLWRlZmF1bHQtZGlyZWN0b3J5Ci0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgZGVmYXVsdC1kaXJlY3RvcnkpKSkKKyAgICAgICAgICAgICAgICAgICAgICAob3Ig c3FsLWRlZmF1bHQtZGlyZWN0b3J5CisgICAgICAgICAgICAgICAgICAgICAgICAgIGRlZmF1bHQt ZGlyZWN0b3J5KSkpCiAKICAgICAgICAgICAgICAgICA7OyBUaGUgcGFzc3dvcmQgd2FsbGV0IHJl dHVybnMgYSBmdW5jdGlvbiB3aGljaCBzdXBwbGllcyB0aGUgcGFzc3dvcmQuCiAgICAgICAgICAg ICAgICAgKHdoZW4gKGZ1bmN0aW9ucCBzcWwtcGFzc3dvcmQpCkBAIC00NjgxLDkgKzQ2ODQsOSBA QCB0aGUgY2FsbCB0byBcXFtzcWwtcHJvZHVjdC1pbnRlcmFjdGl2ZV0gd2l0aAogICAgICAgICAg ICAgICAgICAgICAgICAgICAgKHNxbC1nZW5lcmF0ZS11bmlxdWUtc3FsaS1idWZmZXItbmFtZSBw cm9kdWN0IG5pbCkpCiAgICAgICAgICAgICAgICAgICAgICAgICAgICgoY29uc3AgbmV3LW5hbWUp CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAoc3FsLWdlbmVyYXRlLXVuaXF1ZS1zcWxpLWJ1 ZmZlci1uYW1lIHByb2R1Y3QKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAocmVhZC1zdHJp bmcKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkJ1ZmZlciBuYW1lIChcIipTUUw6IFhY WCpcIjsgZW50ZXIgYFhYWCcpOiAiCi0gICAgICAgICAgICAgICAgICAgICAgICAgICAgIChzcWwt bWFrZS1hbHRlcm5hdGUtYnVmZmVyLW5hbWUgcHJvZHVjdCkpKSkKKyAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKHJlYWQtc3Ry aW5nCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAiQnVmZmVyIG5hbWUgKFwiKlNRTDogWFhYKlwiOyBlbnRlciBgWFhYJyk6 ICIKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIChzcWwtbWFrZS1hbHRlcm5hdGUtYnVmZmVyLW5hbWUgcHJvZHVjdCkpKSkK ICAgICAgICAgICAgICAgICAgICAgICAgICAgKChzdHJpbmdwIG5ldy1uYW1lKQogICAgICAgICAg ICAgICAgICAgICAgICAgICAgKGlmIChvciAoc3RyaW5nLXByZWZpeC1wICIgIiBuZXctbmFtZSkK ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKHN0cmluZy1tYXRjaC1wICJcXGBb Kl0uKlsqXVxcJyIgbmV3LW5hbWUpKQpAQCAtNDczMywxMiArNDczNiwyNyBAQCB0aGUgY2FsbCB0 byBcXFtzcWwtcHJvZHVjdC1pbnRlcmFjdGl2ZV0gd2l0aAogICAgICAgICAgICAgICAoZ2V0LWJ1 ZmZlciBuZXctc3FsaS1idWZmZXIpKSkpKQogICAgICh1c2VyLWVycm9yICJObyBkZWZhdWx0IFNR TCBwcm9kdWN0IGRlZmluZWQ6IHNldCBgc3FsLXByb2R1Y3QnIikpKQogCisoZGVmaW5lLWFkdmlj ZSBjb21pbnQtd2F0Y2gtZm9yLXBhc3N3b3JkLXByb21wdAorICAgICg6YXJvdW5kIChpbm5lci1m dW5jIHN0cmluZykgc3FsLXBhc3N3b3JkLWF1dG9wb3B1bGF0ZSkKKyAgIkludGVyY2VwdCBwYXNz d29yZCBwcm9tcHRzIHdoZW4gd2Uga25vdyB0aGUgcGFzc3dvcmQuIFRoaXMKK211c3QgYWxzbyBk byB0aGUgam9iIG9mIGRldGVjdGluZyBwYXNzd29yZCBwcm9tcHRzLiAgU1RSSU5HIGlzCit0aGUg cG90ZW50aWFsIHBhc3N3b3JkIHByb21wdC4gIElOTkVSLUZVTkMgaXMgdGhlIHByZXZpb3VzCitk ZWZpbml0aW9uIG9mIGNvbWludC13YXRjaC1mb3ItcGFzc3dvcmQtcHJvbXB0LCB3aGljaCBpcyBj YWxsZWQKK29ubHkgd2hlbiB0aGVyZSBpcyBubyBwcmVmaWxsZWQgcGFzc3dvcmQuIgorICAoaWYg KGFuZAorICAgICAgIChlcSBtYWpvci1tb2RlICdzcWwtaW50ZXJhY3RpdmUtbW9kZSkKKyAgICAg ICAobm90IChzdHJpbmc9ICIiIHNxbC1wYXNzd29yZCkpCisgICAgICAgKGxldCAoKGNhc2UtZm9s ZC1zZWFyY2ggdCkpCisgICAgICAgICAoc3RyaW5nLW1hdGNoIGNvbWludC1wYXNzd29yZC1wcm9t cHQtcmVnZXhwIHN0cmluZykpKQorICAgICAgKGZ1bmNhbGwgY29taW50LWlucHV0LXNlbmRlciAo Z2V0LWJ1ZmZlci1wcm9jZXNzIChjdXJyZW50LWJ1ZmZlcikpIHNxbC1wYXNzd29yZCkKKyAgICAo ZnVuY2FsbCBpbm5lci1mdW5jIHN0cmluZykpKQorCiAoZGVmdW4gc3FsLWNvbWludCAocHJvZHVj dCBwYXJhbXMgJm9wdGlvbmFsIGJ1Zi1uYW1lKQogICAiU2V0IHVwIGEgY29taW50IGJ1ZmZlciB0 byBydW4gdGhlIFNRTCBwcm9jZXNzb3IuCiAKLVBST0RVQ1QgaXMgdGhlIFNRTCBwcm9kdWN0LiAg UEFSQU1TIGlzIGEgbGlzdCBvZiBzdHJpbmdzIHdoaWNoIGFyZQotcGFzc2VkIGFzIGNvbW1hbmQg bGluZSBhcmd1bWVudHMuICBCVUYtTkFNRSBpcyB0aGUgbmFtZSBvZiB0aGUgbmV3Ci1idWZmZXIu ICBJZiBuaWwsIGEgbmFtZSBpcyBjaG9zZW4gZm9yIGl0LiIKK1BST0RVQ1QgaXMgdGhlIFNRTCBw cm9kdWN0LiAgUEFSQU1TIGlzIGEgbGlzdCBvZiBzdHJpbmdzIHdoaWNoCithcmUgcGFzc2VkIGFz IGNvbW1hbmQgbGluZSBhcmd1bWVudHMuICBCVUYtTkFNRSBpcyB0aGUgbmFtZSBvZgordGhlIG5l dyBidWZmZXIuICBJZiBuaWwsIGEgbmFtZSBpcyBjaG9zZW4gZm9yIGl0LiIKIAogICAobGV0ICgo cHJvZ3JhbSAoc3FsLWdldC1wcm9kdWN0LWZlYXR1cmUgcHJvZHVjdCA6c3FsaS1wcm9ncmFtKSkp CiAgICAgOzsgTWFrZSBzdXJlIHdlIGNhbiBmaW5kIHRoZSBwcm9ncmFtLiAgYGV4ZWN1dGFibGUt ZmluZCcgZG9lcyBub3QKQEAgLTUxODgsNyArNTIwNiw5IEBAIFRoZSBkZWZhdWx0IGNvbWVzIGZy b20gYHByb2Nlc3MtY29kaW5nLXN5c3RlbS1hbGlzdCcgYW5kCiAgICAgICAgICAgKGlmIChub3Qg KHN0cmluZz0gIiIgc3FsLXVzZXIpKQogICAgICAgICAgICAgICAobGlzdCAoY29uY2F0ICItLXVz ZXI9IiBzcWwtdXNlcikpKQogICAgICAgICAgIChpZiAobm90IChzdHJpbmc9ICIiIHNxbC1wYXNz d29yZCkpCi0gICAgICAgICAgICAgIChsaXN0IChjb25jYXQgIi0tcGFzc3dvcmQ9IiBzcWwtcGFz c3dvcmQpKSkKKyAgICAgICAgICAgICAgOzsgU2VuZGluZyAtLXBhc3N3b3JkIHdpbGwgbWFrZSBN eVNRTCBwcm9tcHQgZm9yIHRoZQorICAgICAgICAgICAgICA7OyBwYXNzd29yZC4KKyAgICAgICAg ICAgICAgKGxpc3QgIi0tcGFzc3dvcmQiKSkKICAgICAgICAgICAoaWYgKG5vdCAoPSAwIHNxbC1w b3J0KSkKICAgICAgICAgICAgICAgKGxpc3QgKGNvbmNhdCAiLS1wb3J0PSIgKG51bWJlci10by1z dHJpbmcgc3FsLXBvcnQpKSkpCiAgICAgICAgICAgKGlmIChub3QgKHN0cmluZz0gIiIgc3FsLXNl cnZlcikpCi0tIAoyLjE5LjAuNjA1LmcwMWQzNzFmNzQxLWdvb2cKCg== --b1_666fb35d4512ad34fba23ab12246cdf9-- From debbugs-submit-bounces@debbugs.gnu.org Fri Nov 01 21:11:06 2019 Received: (at 8427) by debbugs.gnu.org; 2 Nov 2019 01:11:06 +0000 Received: from localhost ([127.0.0.1]:57717 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iQhwX-000551-Go for submit@debbugs.gnu.org; Fri, 01 Nov 2019 21:11:05 -0400 Received: from mail-qt1-f195.google.com ([209.85.160.195]:41165) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iQhwV-00054J-1a for 8427@debbugs.gnu.org; Fri, 01 Nov 2019 21:11:04 -0400 Received: by mail-qt1-f195.google.com with SMTP id o3so15395496qtj.8 for <8427@debbugs.gnu.org>; Fri, 01 Nov 2019 18:11:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:in-reply-to:references:user-agent:date :message-id:mime-version:content-transfer-encoding; bh=xeTpexBYIxNRTPa0ZtCLNHrZjczcDRCen3UCwO9vKEs=; b=DflLXEEV//6kcuZfhOXql537xBsPDnEKxHsB8zvT3C/HaK+dfpLmBsVU1G4Kkw5wb4 AU4uz/gGEFv1eFEUILMpAS1lBkEB2WFf0evnWL1TE8J/8JGpPk44kyYDc/awSEDQlb+K zDhZ1iJxuqo4LMa0O1z20tEOH8zfx9hCqRx8pcvNOah3rJjFNHP72dlvUPZcT1I0ZEN5 uINGUCkXs5uor0Pc4oQp3mdBE/tL3HrDo3iwy4xStszAlggyxDdERvRR4iWhmmZhBdE0 QWxcgAIddgv4oK5yN3Trd/u+S5xNVf0ZdjSTLzEt/QSsKyUASktrub8nzJMwNVjjdnnB RVqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:in-reply-to:references :user-agent:date:message-id:mime-version:content-transfer-encoding; bh=xeTpexBYIxNRTPa0ZtCLNHrZjczcDRCen3UCwO9vKEs=; b=WVDU3WsBXOYOId6TEgUEfWVOUIowb0dSDYyE9HERWD2v8HRw1qAEzkBiZ2t8qsQi1g iyNiNqLgQge+rO+g3J/iQVzH28GYmS+qutMKES86f+hq9cIQWZHS+DTyC7LkM+PVWQp2 JQala+2yN8Lz9f8HBgAXuwiDE3/VY8NGWesZK2tZe/kIZ6RINIs5jctwMUnH92IZGwHw EqoMmCf2NcS4cejQgz0J5zN4bX55niaS2npeoTFFzefBdemesUcodgyikfXWcu9Bk3r/ +PZYUo8lMF9ntLs6Zh8uMAhpQ3bfpMqoJAfFKOECfW3pCvd6JwnSD0b9V+LgHZDqN6BJ GLbQ== X-Gm-Message-State: APjAAAVSoosek0Tc139PvA+5E5L/8+qPsjWetvVnJ6wNDX0fLlLuTPHk jhpGBJEIrhtugv1VFqIVqqYmPN1VI+0= X-Google-Smtp-Source: APXvYqxa14u25qkYNop8kWoWnBhmnvaRm64Bumd7Z/hv0y2xlLqiLOnQd4VtLDEJE+/lto+/SXqcFg== X-Received: by 2002:a05:6214:14f0:: with SMTP id k16mr12701933qvw.113.1572657056735; Fri, 01 Nov 2019 18:10:56 -0700 (PDT) Received: from ahyatt-macbookpro6.roam.corp.google.com (pool-74-101-146-201.nycmny.fios.verizon.net. [74.101.146.201]) by smtp.gmail.com with ESMTPSA id y82sm4184252qka.130.2019.11.01.18.10.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Nov 2019 18:10:55 -0700 (PDT) From: Andrew Hyatt To: Michael Mauger Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing In-Reply-To: <-DPnoQRPO3mztTMZP0CLEkVHEueQfRbf1NL2NMBa_alnqjzctP5kLNyD-Gd_yioQqTu-QiEXfLGzidBeSrX0jY_-tlyrBEnMU5Mo5febRng=@protonmail.com> (Michael Mauger's message of "Mon, 21 Oct 2019 20:33:09 +0000") References: <-DPnoQRPO3mztTMZP0CLEkVHEueQfRbf1NL2NMBa_alnqjzctP5kLNyD-Gd_yioQqTu-QiEXfLGzidBeSrX0jY_-tlyrBEnMU5Mo5febRng=@protonmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (darwin) Date: Fri, 01 Nov 2019 21:10:46 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 8427 Cc: "8427@debbugs.gnu.org" <8427@debbugs.gnu.org>, Stefan Kangas X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Michael Mauger writes: > =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original = Message =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 > On Sunday, October 20, 2019 8:56 PM, Andrew Hyatt wrot= e: > >> >> >> Thanks for the insightful comments - yes, everything you say makes >> sense. I've implemented what you describe. However, I'm a little unsure >> of this one - I had to advise a comint primitive and even re-implement >> part of an existing comint function. It feels like comint should perhaps >> have a way to do this sort of thing within itself, but I couldn't find >> any. >> >> I've attached the latest revision. >> >> Stefan Kangas stefan@marxist.se writes: >> >> > (Please keep the bug address in Cc.) >> > Andrew Hyatt ahyatt@gmail.com writes: >> > >> > > I'm attaching the fix. The fix for MySQL was fairly straightforward.= I >> > > tried it out, and it works. >> > >> > I'm not sure this is the right fix. How is the user to know that the >> > correct thing is to provide an empty password when prompted for it? >> > Why do we even prompt for the password then? >> > Also, what if a user wants to login to an account that has no >> > password? Should we really pass the "--password" parameter in that >> > case? Does that work? >> > I think something like this would be better: >> > >> > 1. Keep the password prompt. >> > 2. Use the naked "--password" parameter only when the user has >> > entered a password, and use nothing when the user entered nothing. >> > >> > 3. Never use the "--password=3D" parameter. >> > 4. When mysql prompts for the password, send it to the process >> > automatically, without user interaction. >> > >> > >> > > I looked through sql.el for similar issues, >> > > and was able to fix Vertica as well, although I've never heard of >> > > Vertica before and couldn't test it out. Parameters were set accordi= ng >> > > to the docs at >> > > https://www.vertica.com/docs/9.2.x/HTML/Content/Authoring/Connecting= ToVertica/vsql/CommandLineOptions.htm, >> > > which does match the existing code. >> > >> > Unless someone can test it, perhaps we should leave out the Vertica pa= rt? >> > Thanks for working on this. >> > Best regards, >> > Stefan Kangas > > I have tried a couple of different versions of this in the past but have = found a lot of corner cases that made me back off. > > Some thoughts: > > * The login-params function will set `sql-password' to nil if it isn't a > parameter being prompted for and is not set otherwise. If it is prompted = for and > empty the variable will be an empty string not nil. We need some test cas= es > written to confirm that the behavior is as we expect. Small shell scripts= can be > created to simulate the SQL processor for the general flow. The test scri= pts > should be included in the commit for this feature. > > * Only supply the password using the comint password filter if support for > passing the password on stdin is supported and expected in this instance.= This > would probably be a flag set in the `sql-PRODUCT-comint-func' (based on t= he > command line logic) and set as a buffer local in the buffer. The comint f= ilter > would then check the flag before trying to stuff the password into the st= ream. > That avoids sending a database password to a prompt that is for other pur= poses. > Also does this have to be advice to the comint filter or just another fil= ter > installed on the comint hook? (Policy is that standard Emacs packages do = not use > advice and the hook is present and used by the existing hook.) > > * Only send the password to the first time a password is asked for. Some > interactive sql processes allow changing the connection mid-session and t= he > password for the original username may not be appropriate for the new con= nection > they made. This is especially true in enterprise environments where passw= ord > failures can be set to disable the database user. Your advice is good, but following it led me to some complexity I can't seem to get away from. Perhaps you have some insight, so let me explain. The issue is that, yes, I can not advise the comint function. However, if I supply my own function, then I have to remove the comint-watch-for-password-prompt, supply my own function, then restore it when the user has entered their password (so it can handle subsequent password entries). This juggling of the normal comint-watch-for-password-prompt method, plus the fact that we basically have to reimplement part of it, gives me pause - I think it's probably too hacky a solution. There's a few ways out. We could introduce a variable used in sql-product-alist that tells SQL not to prompt for a password because the db will just get it via the comint password function. That would probably work well, but it wouldn't store the sql-password at all, that variable would be unused. Maybe that's OK, maybe not - I don't have a good sense for it. Or, we could make this auto-password-supplying per-buffer a part of comint itself. That would widen the scope of the fix, but it would probably be the best of both functionality and simplicity. What do you think? > > * Please do not alter indenting of existing code not involved in the chan= ge; the indentation is deliberate in some cases and the spurious changes ju= st generate noise in the diffs. Thanks. > > * Are we adding a flag to the `sql-product-alist' to indicate that passwo= rds may > be passed via stdin? I would recommend that we do so because that way it = can be > globally disabled if the environment calls for it. For example, a user ma= y want > to supply it on the command line because it is not a concen in their > environment. Some database products support passing the password this way= , but > also alter the command line parameters to mask out the actual password so= that > the `ps' exposure is fairly small. > > Thanks working on this but I'm still concerned that we could break existi= ng use of sql-interactive-mode unintentionally. > > -- > MICHAEL@MAUGER.COM // FSF and EFF member // GNU Emacs sql.el maintainer From debbugs-submit-bounces@debbugs.gnu.org Sat Nov 02 15:41:59 2019 Received: (at 8427) by debbugs.gnu.org; 2 Nov 2019 19:41:59 +0000 Received: from localhost ([127.0.0.1]:33132 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iQzHa-0005Ql-VF for submit@debbugs.gnu.org; Sat, 02 Nov 2019 15:41:59 -0400 Received: from mail4.protonmail.ch ([185.70.40.27]:19682) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iQzHX-0005QV-N7 for 8427@debbugs.gnu.org; Sat, 02 Nov 2019 15:41:57 -0400 Date: Sat, 02 Nov 2019 19:41:44 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1572723708; bh=UPMUa+l6JAQj3z9TBzDtP/Z79t0hQbfbUMnPMPe9J2k=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=RGl+vsNTdz2C46WqxnSkiTXDX8bH7kUih+fhhCUOoABZBHuDsEF/KLu4DAfb1d7tT FCcCloHPgVFiXoFul6I6GOpAM7pA1OVx+9xQJ9DM+JFEsuBQ14JJhaLBTDSXFTIxUc 5j7fjgirjKO2pF/JiQ8HCS1lMwMoIMsPC8zZz+1w= To: Andrew Hyatt From: Michael Mauger Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing Message-ID: In-Reply-To: References: <-DPnoQRPO3mztTMZP0CLEkVHEueQfRbf1NL2NMBa_alnqjzctP5kLNyD-Gd_yioQqTu-QiEXfLGzidBeSrX0jY_-tlyrBEnMU5Mo5febRng=@protonmail.com> Feedback-ID: b6CpL0MxcIA6fpHRkn3ZHzWS0Hoqxbtv_SrHfEzC9D85cLvnRsVk4rKaAOJUw48iy20W0W1VX4whjBYFluIX0w==:Ext:ProtonMail MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.2 required=7.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.protonmail.ch X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 8427 Cc: "8427\\@debbugs.gnu.org" <8427@debbugs.gnu.org>, Stefan Kangas X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Michael Mauger Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On Saturday, November 2, 2019 1:10 AM, Andrew Hyatt wrot= e: > Michael Mauger mmauger@protonmail.com writes: > > > On Sunday, October 20, 2019 8:56 PM, Andrew Hyatt ahyatt@gmail.com wrot= e: > > > > Your advice is good, but following it led me to some complexity I can't > seem to get away from. Perhaps you have some insight, so let me explain. > The issue is that, yes, I can not advise the comint function. However, > if I supply my own function, then I have to remove the > comint-watch-for-password-prompt, supply my own function, then restore > it when the user has entered their password (so it can handle subsequent > password entries). This juggling of the normal > comint-watch-for-password-prompt method, plus the fact that we basically > have to reimplement part of it, gives me pause - I think it's probably > too hacky a solution. > > There's a few ways out. We could introduce a variable used in > sql-product-alist that tells SQL not to prompt for a password because > the db will just get it via the comint password function. That would > probably work well, but it wouldn't store the sql-password at all, that > variable would be unused. Maybe that's OK, maybe not - I don't have a > good sense for it. > > Or, we could make this auto-password-supplying per-buffer a part of > comint itself. That would widen the scope of the fix, but it would > probably be the best of both functionality and simplicity. > > What do you think? > I totally understand the complexity, but I don't think it has too be too complicated to address. First the sql.el only solution: If the sql-comint function decides to pass the password via stdin then it can set a buffer-local flag indicating this and then replace `coming-watch-for-password-prompt' on the `comint-output-filter-functions' list with the sql version of the function. The sql password function would be something along the lines of: ;; TOTALLY NOT TESTED (defun sql-watch-for-password-prompt (string) "blah blah ;)" (if sql-will-prompt-for-password ;; (based on comint-watch-for-password-prompt) vvv (when (let ((case-fold-search t)) (string-match (or (sql-get-product-feature sql-product 'p= assword-prompt-regexp string) comint-password-prompt-regexp))) (when (string-match "^[ \n\r\t\v\f\b\a]+" string) (setq string (replace-match "" t t string))) (let ((comint--prompt-recursion-depth (1+ comint--prompt-recurs= ion-depth))) (if (> comint--prompt-recursion-depth 10) (message "Password prompt recursion too deep") ;;; ^^^ ;;; automagically provide the password (let ((proc (get-buffer-process (current-buffer)))) (when proc (funcall comint-input-sender proc sql-password)))))) ;; Back to default behavior (comint-watch-for-password-prompt string)) ;; Make sure we don't supply again (setq-local sql-will-prompt-password nil)) That should get you close without too much difficulty. Of course, it requir= es a that a password-prompt-regexp feature is defined for the sql product and th= at the sql-comint function defines a buffer-local flag `sql-will-prompt-for-passwo= rd' in it is deferring to stdin. The other solution would involve modifying comint to call a hook if set to = supply a password or nil. This would probably be a simpler change but may get more broader attention. When the hook function is not set or returns nil then do= the default behavior of calling `comint-send-invisible' otherwise just send the= password There are some edge cases here, but this hopefully helps. Also, obviously, = test cases are needed given that if this breaks, we break the sql interactive world! -- MICHAEL@MAUGER.COM // FSF and EFF member // GNU Emacs sql.el maintainer From debbugs-submit-bounces@debbugs.gnu.org Mon Nov 11 00:31:27 2019 Received: (at 8427) by debbugs.gnu.org; 11 Nov 2019 05:31:27 +0000 Received: from localhost ([127.0.0.1]:53083 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iU2IQ-000157-Cy for submit@debbugs.gnu.org; Mon, 11 Nov 2019 00:31:27 -0500 Received: from mail-qt1-f178.google.com ([209.85.160.178]:33780) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iU2IP-00014u-27 for 8427@debbugs.gnu.org; Mon, 11 Nov 2019 00:31:25 -0500 Received: by mail-qt1-f178.google.com with SMTP id y39so14492280qty.0 for <8427@debbugs.gnu.org>; Sun, 10 Nov 2019 21:31:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=eN7rhK66ZPIGfhehR59s930lmnj1bU2xLfe0vIoqYB0=; b=F55lAkoNSkvL0IyorRxdJwsVdFRSD0SvbmA5aZjTwu949JTeKS9TWH9Xi/U1pk1cZj o+qNmL6O5fdEAZV+DdugCWH4hnamcpJhrhC2hY5yfghWsqNOOcQwmJUzOmnYvJedY93o Uk7etMdCKhvcYsZ/RdPAceYliC+zF3osESqhkXwoZA9uzZa9Tc9HMJwP2KXBVNS5o3F3 e0IOrcbve6AgEQDEBnxqhTQVYWIO7UrYWwLKDLDRIP2pDQWD84T5RBw9h/o4EkeWQi6f WIyqDcb1stBos787ZEDxTg39w+PjpIvbRHnAx2Gc5RL2kHlOkB8kAXQGrnyC/nl9bh20 L8Sg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=eN7rhK66ZPIGfhehR59s930lmnj1bU2xLfe0vIoqYB0=; b=NnsMJ+JTFCjlX3sWQkfy5r2djtgsRvCcUZbXCMvoUGYV20M+B8IHoenJK+hlMZTX9J XHVtOL7Li0fuSAlBU0XmJhZYOgrYMjuo66K8DHIW/2sqhnkt7xCGuOCsBAJfDDxEqdty vho3eG8+lmgfHqtBbUFfXXIEqrxbio96LHgM8m4Sif0gj5qgz0s1PvssgZheYqC+P6bY syA2iIdKUIEDkCxhBqRmNRxB6Y2mPH33pj2BV/dzPDMf1fYjBP67ASHuQkeF7CamHoG+ FA2nz1lBo59MhZ0RQ6Wni1M6+kSPzMWV83MTmNb80CWyheOvWX++A7aqOUf6byBEzApq W0gA== X-Gm-Message-State: APjAAAXx+KYn5PJHWalGaM6DZqov3Oay/w4EcEf81c0KLlOUXXAE1wGH HLCzs9msxdCydh/fHdurxOE= X-Google-Smtp-Source: APXvYqw2FbXRyR53hRfKzL0//+dSCpsX1CyFIUl6N924TgkQIrEkl79YU2Ys1QV5c5aRf9+GkR88Rw== X-Received: by 2002:ac8:7103:: with SMTP id z3mr4909553qto.387.1573450279241; Sun, 10 Nov 2019 21:31:19 -0800 (PST) Received: from ahyatt-macbookpro6.roam.corp.google.com (pool-74-101-146-201.nycmny.fios.verizon.net. [74.101.146.201]) by smtp.gmail.com with ESMTPSA id a18sm7403705qkc.2.2019.11.10.21.31.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 Nov 2019 21:31:18 -0800 (PST) From: Andrew Hyatt To: Michael Mauger Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing References: <-DPnoQRPO3mztTMZP0CLEkVHEueQfRbf1NL2NMBa_alnqjzctP5kLNyD-Gd_yioQqTu-QiEXfLGzidBeSrX0jY_-tlyrBEnMU5Mo5febRng=@protonmail.com> Date: Mon, 11 Nov 2019 00:31:11 -0500 In-Reply-To: (Michael Mauger's message of "Sat, 02 Nov 2019 19:41:44 +0000") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (darwin) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 8427 Cc: "8427@debbugs.gnu.org" <8427@debbugs.gnu.org>, Stefan Kangas X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain I've simplified an implementation along the lines you suggest, and tested it via ert. I'm attaching the latest version of the patch. Please let me know what you think. --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-Enable-passwords-to-be-sent-in-process-when-possible.patch >From 2d0632b08350d86049c2e20c50ce67d69ad52c6d Mon Sep 17 00:00:00 2001 From: Andrew Hyatt Date: Fri, 18 Oct 2019 21:56:52 -0400 Subject: [PATCH] Enable passwords to be sent in-process when possible. * lisp/progmodes/sql.el (sql-comint, sql-comint-mysql): Add a way to handle passwords to be sent in the comint process. This is controlled by the sql-product variable :password-in-comint. When true, on the first password prompt, send argument to signal to the SQL process to read the password inside the process. This removes the slight chance that someone can spy on the password from ps or via other methods. * test/lisp/progmodes/sql-tests.el: New tests for the password interception. --- lisp/progmodes/sql.el | 60 +++++++++++++++++++++++++------ test/lisp/progmodes/sql-tests.el | 61 ++++++++++++++++++++++++++++++++ 2 files changed, 111 insertions(+), 10 deletions(-) diff --git a/lisp/progmodes/sql.el b/lisp/progmodes/sql.el index b17364b08f..f7cbec7130 100644 --- a/lisp/progmodes/sql.el +++ b/lisp/progmodes/sql.el @@ -160,13 +160,16 @@ ;; "Connect ti XyzDB in a comint buffer." ;; ;; ;; Do something with `sql-user', `sql-password', -;; ;; `sql-database', and `sql-server'. +;; ;; `sql-database', and `sql-server'. `sql-password' will +;; ;; be sent automatically if not sent in the command-line. +;; ;; It is recommended to avoid sending in the command-line +;; ;; if possible, since this can briefly expose passwords. ;; (let ((params ;; (append ;; (if (not (string= "" sql-user)) ;; (list "-U" sql-user)) ;; (if (not (string= "" sql-password)) -;; (list "-P" sql-password)) +;; (list "-P")) ;; (if (not (string= "" sql-database)) ;; (list "-D" sql-database)) ;; (if (not (string= "" sql-server)) @@ -458,6 +461,7 @@ file. Since that is a plaintext file, this could be dangerous." :sqli-comint-func sql-comint-mysql :list-all "SHOW TABLES;" :list-table "DESCRIBE %s;" + :password-in-comint t :prompt-regexp "^mysql> " :prompt-length 6 :prompt-cont-regexp "^ -> " @@ -624,6 +628,10 @@ may be any one of the following: not-nil it is the name of a schema whose objects should be listed. + :password-in-comint true when the password is not passed in + as a parameter, but instead requested in + the comint session itself. + :prompt-regexp regular expression string that matches the prompt issued by the product interpreter. @@ -1402,6 +1410,9 @@ You can change `sql-prompt-length' on `sql-interactive-mode-hook'.") Used by `sql-rename-buffer'.") +(defvar-local sql-password-accepted-via-comint nil + "Set to true when the password was accepted via comint.") + (defun sql-buffer-live-p (buffer &optional product connection) "Return non-nil if the process associated with buffer is live. @@ -4681,9 +4692,9 @@ the call to \\[sql-product-interactive] with (sql-generate-unique-sqli-buffer-name product nil)) ((consp new-name) (sql-generate-unique-sqli-buffer-name product - (read-string - "Buffer name (\"*SQL: XXX*\"; enter `XXX'): " - (sql-make-alternate-buffer-name product)))) + (read-string + "Buffer name (\"*SQL: XXX*\"; enter `XXX'): " + (sql-make-alternate-buffer-name product)))) ((stringp new-name) (if (or (string-prefix-p " " new-name) (string-match-p "\\`[*].*[*]\\'" new-name)) @@ -4733,12 +4744,30 @@ the call to \\[sql-product-interactive] with (get-buffer new-sqli-buffer))))) (user-error "No default SQL product defined: set `sql-product'"))) +(defun sql-watch-for-password-prompt (string) + "Intercept password prompts when we know the password. +This must also do the job of detecting password prompts. STRING +is the potential password prompt." + (if (and + sql-password + (not (string= "" sql-password)) + (not sql-password-accepted-via-comint)) + ;; In this case, we are in charge of watching for the password + ;; prompt, so let's accept or reject. If the sql-password + ;; fails, they would have to enter it manually next time. + (let ((case-fold-search t)) + (when (string-match comint-password-prompt-regexp string) + (setq sql-password-accepted-via-comint t) + (funcall comint-input-sender (get-buffer-process (current-buffer)) + sql-password))) + (comint-watch-for-password-prompt string))) + (defun sql-comint (product params &optional buf-name) "Set up a comint buffer to run the SQL processor. -PRODUCT is the SQL product. PARAMS is a list of strings which are -passed as command line arguments. BUF-NAME is the name of the new -buffer. If nil, a name is chosen for it." +PRODUCT is the SQL product. PARAMS is a list of strings which +are passed as command line arguments. BUF-NAME is the name of +the new buffer. If nil, a name is chosen for it." (let ((program (sql-get-product-feature product :sqli-program))) ;; Make sure we can find the program. `executable-find' does not @@ -4757,12 +4786,21 @@ buffer. If nil, a name is chosen for it." (setq buf-name (sql-generate-unique-sqli-buffer-name product nil))) (set-text-properties 0 (length buf-name) nil buf-name) + ;; Create the buffer first, because we want to set it up before + ;; comint starts to run. + (set-buffer (get-buffer-create buf-name)) + (when (sql-get-product-feature product :password-in-comint) + (setq sql-password-accepted-via-comint nil) + ;; Substitute our own password watcher function. + (add-hook 'comint-output-filter-functions 'sql-watch-for-password-prompt) + (remove-hook 'comint-output-filter-functions 'comint-watch-for-password-prompt)) + ;; Start the command interpreter in the buffer ;; PROC-NAME is BUF-NAME without enclosing asterisks (let ((proc-name (replace-regexp-in-string "\\`[*]\\(.*\\)[*]\\'" "\\1" buf-name))) (set-buffer (apply #'make-comint-in-buffer - proc-name buf-name program nil params))))) + proc-name (current-buffer) program nil params))))) ;;;###autoload (defun sql-oracle (&optional buffer) @@ -5188,7 +5226,9 @@ The default comes from `process-coding-system-alist' and (if (not (string= "" sql-user)) (list (concat "--user=" sql-user))) (if (not (string= "" sql-password)) - (list (concat "--password=" sql-password))) + ;; Sending --password will make MySQL prompt for the + ;; password. + (list "--password")) (if (not (= 0 sql-port)) (list (concat "--port=" (number-to-string sql-port)))) (if (not (string= "" sql-server)) diff --git a/test/lisp/progmodes/sql-tests.el b/test/lisp/progmodes/sql-tests.el index 3ac9fb10e4..278e5aba87 100644 --- a/test/lisp/progmodes/sql-tests.el +++ b/test/lisp/progmodes/sql-tests.el @@ -410,6 +410,67 @@ The ACTION will be tested after set-up of PRODUCT." (kill-buffer "*SQL: exist*"))) +(defmacro sql-watch-test-harness (expected &rest action) + "Set-up state and replace functions for SQL password test. + +EXPECTED could be: + - 'passthrough, to indicate that we expect that we pass through + to the normal comint function. + - 'both to indicate that we expected a password to be sent as well + as a prompt to passed through. + - nil, to indicate that nothing happens, including no passthrough. + - a string to indicate that the string is sent to the process + as a password. +ACTION is the body of the test." + `(let ((sent-password) + (input-called 0) + (comint-watch-called 0)) + (with-temp-buffer + (cl-letf ((comint-input-sender (lambda (_ password) (incf input-called) (setq sent-password password))) + ((symbol-function 'comint-watch-for-password-prompt) (lambda (_) (incf comint-watch-called))) + (sql-product 'sqltest) + (sql-product-alist '((sqltest + :name "SqlTest" + :sql-password-accepted-via-comint t)))) + ,@action)) + + (cond ((eq ,expected 'passthrough) + (should (= 1 comint-watch-called)) + (should (= 0 input-called))) + ((eq ,expected 'both) + (should (= 1 comint-watch-called)) + (should (= 1 input-called))) + ((null ,expected) + (should (= 0 comint-watch-called)) + (should (= 0 input-called))) + ((stringp ,expected) + (should (string-equal ,expected sent-password)) + (should (= 0 comint-watch-called)))))) + +(ert-deftest sql-tests-watch-for-password-prompt-no-password () + (sql-watch-test-harness + 'passthrough + (setq sql-password nil) + (sql-watch-for-password-prompt "Password:")) + (sql-watch-test-harness + 'passthrough + (setq sql-password "") + (sql-watch-for-password-prompt "Password:"))) + +(ert-deftest sql-tests-watch-for-password-prompt-right-prompt () + (sql-watch-test-harness + nil + (setq sql-password "password") + (sql-watch-for-password-prompt "SQL> "))) + +(ert-deftest sql-tests-watch-for-password-prompt-second-password () + ;; The harness itself makes sure we don't send the password more + ;; than once. + (sql-watch-test-harness + 'both + (setq sql-password "password") + (sql-watch-for-password-prompt "Password:") + (sql-watch-for-password-prompt "Password:"))) (provide 'sql-tests) ;;; sql-tests.el ends here -- 2.20.1 (Apple Git-117) --=-=-= Content-Type: text/plain Michael Mauger writes: > On Saturday, November 2, 2019 1:10 AM, Andrew Hyatt wrote: > >> Michael Mauger mmauger@protonmail.com writes: >> >> > On Sunday, October 20, 2019 8:56 PM, Andrew Hyatt ahyatt@gmail.com wrote: >> > >> >> Your advice is good, but following it led me to some complexity I can't >> seem to get away from. Perhaps you have some insight, so let me explain. >> The issue is that, yes, I can not advise the comint function. However, >> if I supply my own function, then I have to remove the >> comint-watch-for-password-prompt, supply my own function, then restore >> it when the user has entered their password (so it can handle subsequent >> password entries). This juggling of the normal >> comint-watch-for-password-prompt method, plus the fact that we basically >> have to reimplement part of it, gives me pause - I think it's probably >> too hacky a solution. >> >> There's a few ways out. We could introduce a variable used in >> sql-product-alist that tells SQL not to prompt for a password because >> the db will just get it via the comint password function. That would >> probably work well, but it wouldn't store the sql-password at all, that >> variable would be unused. Maybe that's OK, maybe not - I don't have a >> good sense for it. >> >> Or, we could make this auto-password-supplying per-buffer a part of >> comint itself. That would widen the scope of the fix, but it would >> probably be the best of both functionality and simplicity. >> >> What do you think? >> > > I totally understand the complexity, but I don't think it has too be too > complicated to address. > > First the sql.el only solution: If the sql-comint function decides to pass > the password via stdin then it can set a buffer-local flag indicating this > and then replace `coming-watch-for-password-prompt' on the > `comint-output-filter-functions' list with the sql version of the function. > The sql password function would be something along the lines of: > > ;; TOTALLY NOT TESTED > (defun sql-watch-for-password-prompt (string) > "blah blah ;)" > (if sql-will-prompt-for-password > ;; (based on comint-watch-for-password-prompt) vvv > (when (let ((case-fold-search t)) > (string-match (or (sql-get-product-feature sql-product 'password-prompt-regexp string) > comint-password-prompt-regexp))) > (when (string-match "^[ \n\r\t\v\f\b\a]+" string) > (setq string (replace-match "" t t string))) > (let ((comint--prompt-recursion-depth (1+ comint--prompt-recursion-depth))) > (if (> comint--prompt-recursion-depth 10) > (message "Password prompt recursion too deep") > ;;; ^^^ > ;;; automagically provide the password > (let ((proc (get-buffer-process (current-buffer)))) > (when proc > (funcall comint-input-sender proc sql-password)))))) > ;; Back to default behavior > (comint-watch-for-password-prompt string)) > ;; Make sure we don't supply again > (setq-local sql-will-prompt-password nil)) > > That should get you close without too much difficulty. Of course, it requires a > that a password-prompt-regexp feature is defined for the sql product and that the > sql-comint function defines a buffer-local flag `sql-will-prompt-for-password' in > it is deferring to stdin. > > The other solution would involve modifying comint to call a hook if set to supply > a password or nil. This would probably be a simpler change but may get more > broader attention. When the hook function is not set or returns nil then do the > default behavior of calling `comint-send-invisible' otherwise just send the password > > There are some edge cases here, but this hopefully helps. Also, obviously, test cases > are needed given that if this breaks, we break the sql interactive world! > > -- > MICHAEL@MAUGER.COM // FSF and EFF member // GNU Emacs sql.el maintainer --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sun Dec 15 23:59:48 2019 Received: (at 8427) by debbugs.gnu.org; 16 Dec 2019 04:59:48 +0000 Received: from localhost ([127.0.0.1]:37628 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1igiTz-00050O-Nk for submit@debbugs.gnu.org; Sun, 15 Dec 2019 23:59:48 -0500 Received: from mail-qt1-f169.google.com ([209.85.160.169]:41707) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1igiTx-000505-7q for 8427@debbugs.gnu.org; Sun, 15 Dec 2019 23:59:46 -0500 Received: by mail-qt1-f169.google.com with SMTP id k40so1042865qtk.8 for <8427@debbugs.gnu.org>; Sun, 15 Dec 2019 20:59:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fAH/Y5vNjr7mHFJWi8NMogSD8vghHju9NZjE9BsMfTw=; b=IBGJzgjKdJTe9j+T2kLiSbsLy75inT/bO3xqBfPPW1HGct2pYhKksPHC9TtT18G+8Y QPY+xd2SXkCLo95cdawFD5AcUIuww3vBszUN9SoiWiHOVsHK9TiSRIkC4IKjwuTkeR4X 17uiF7DaT1qXWOeUoc/BLJo4U6QR/TFrT5TutZjkUuONJR7pueP4ljcXrwuvg1uilZwS F3f/vmkTpNQACv9Lk0y+5j/orzgTe1gWsTYJhQIG6w/LKDey2PgEXjPHPsVewrzNlbMJ PbWyuaUyjul5caFCGsBtTMR57yPNbn/7ZQRS97l8aBBsQjROTSZ8JwPmEIXc95hjOBCu fo0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fAH/Y5vNjr7mHFJWi8NMogSD8vghHju9NZjE9BsMfTw=; b=YB3un51z3mOUWSYEIaRzwjSJaWk4RKvYnLcCHKmcSpIGNTKXnI1D69IwoI7xaBDdpk xMQ9nF4IfPCW1o+gjiy0/V41yfG28OA2OorY/LV5OXcYPcCRTFl3ce+FPeqhL05TpNnk VOqfYDhEFYCmGFpkIVsssYFiQ/b2/yYMZMLxGXXogaz/2LZE0HUmTAB3Wh9f89WBETt8 QysXxDMhKqCopHDKLfhpif/UqSvmN1lM5yga6uyF89gw0eUVK7D/xL1ejv9RTrJHzepe v4cMbqVKu5wWMUlHLuZZzUTppEvKgWp9d3WMukOv6W/21Fa8/SmGP8ztCVqhlTZzEO7n GExg== X-Gm-Message-State: APjAAAXhJh3VaZkGsg7ddBvFw2HkUdVxXAEBKwUYwH62oUiNUPx0wfuF EPtG0P2T4GrdFrABtRYPUEbjXwp0Lvp3gDFd5Q0= X-Google-Smtp-Source: APXvYqzk01ZtuV8xxz5zpz0oOWIn+FjiJbP4IQ+d598y/dBUR9kD2vQ6bl/6IWiMBqGbmNfEThM6igM09iWgXAwSCJg= X-Received: by 2002:ac8:1415:: with SMTP id k21mr22303442qtj.80.1576472379568; Sun, 15 Dec 2019 20:59:39 -0800 (PST) MIME-Version: 1.0 References: <-DPnoQRPO3mztTMZP0CLEkVHEueQfRbf1NL2NMBa_alnqjzctP5kLNyD-Gd_yioQqTu-QiEXfLGzidBeSrX0jY_-tlyrBEnMU5Mo5febRng=@protonmail.com> In-Reply-To: From: Andrew Hyatt Date: Sun, 15 Dec 2019 23:59:28 -0500 Message-ID: Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing To: Michael Mauger Content-Type: multipart/alternative; boundary="0000000000002eba8a0599cb14a2" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 8427 Cc: "8427@debbugs.gnu.org" <8427@debbugs.gnu.org>, Stefan Kangas X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --0000000000002eba8a0599cb14a2 Content-Type: text/plain; charset="UTF-8" Any input on this? I believe this fixes the issue, and would prefer to revise this while I still remember the details. I'm happy to submit this as well. On Mon, Nov 11, 2019 at 12:31 AM Andrew Hyatt wrote: > > I've simplified an implementation along the lines you suggest, and > tested it via ert. I'm attaching the latest version of the patch. > Please let me know what you think. > > > > Michael Mauger writes: > > > On Saturday, November 2, 2019 1:10 AM, Andrew Hyatt > wrote: > > > >> Michael Mauger mmauger@protonmail.com writes: > >> > >> > On Sunday, October 20, 2019 8:56 PM, Andrew Hyatt ahyatt@gmail.com > wrote: > >> > > >> > >> Your advice is good, but following it led me to some complexity I can't > >> seem to get away from. Perhaps you have some insight, so let me explain. > >> The issue is that, yes, I can not advise the comint function. However, > >> if I supply my own function, then I have to remove the > >> comint-watch-for-password-prompt, supply my own function, then restore > >> it when the user has entered their password (so it can handle subsequent > >> password entries). This juggling of the normal > >> comint-watch-for-password-prompt method, plus the fact that we basically > >> have to reimplement part of it, gives me pause - I think it's probably > >> too hacky a solution. > >> > >> There's a few ways out. We could introduce a variable used in > >> sql-product-alist that tells SQL not to prompt for a password because > >> the db will just get it via the comint password function. That would > >> probably work well, but it wouldn't store the sql-password at all, that > >> variable would be unused. Maybe that's OK, maybe not - I don't have a > >> good sense for it. > >> > >> Or, we could make this auto-password-supplying per-buffer a part of > >> comint itself. That would widen the scope of the fix, but it would > >> probably be the best of both functionality and simplicity. > >> > >> What do you think? > >> > > > > I totally understand the complexity, but I don't think it has too be too > > complicated to address. > > > > First the sql.el only solution: If the sql-comint function decides to > pass > > the password via stdin then it can set a buffer-local flag indicating > this > > and then replace `coming-watch-for-password-prompt' on the > > `comint-output-filter-functions' list with the sql version of the > function. > > The sql password function would be something along the lines of: > > > > ;; TOTALLY NOT TESTED > > (defun sql-watch-for-password-prompt (string) > > "blah blah ;)" > > (if sql-will-prompt-for-password > > ;; (based on comint-watch-for-password-prompt) vvv > > (when (let ((case-fold-search t)) > > (string-match (or (sql-get-product-feature sql-product > 'password-prompt-regexp string) > > comint-password-prompt-regexp))) > > (when (string-match "^[ \n\r\t\v\f\b\a]+" string) > > (setq string (replace-match "" t t string))) > > (let ((comint--prompt-recursion-depth (1+ > comint--prompt-recursion-depth))) > > (if (> comint--prompt-recursion-depth 10) > > (message "Password prompt recursion too deep") > > ;;; ^^^ > > ;;; automagically provide the password > > (let ((proc (get-buffer-process (current-buffer)))) > > (when proc > > (funcall comint-input-sender proc sql-password)))))) > > ;; Back to default behavior > > (comint-watch-for-password-prompt string)) > > ;; Make sure we don't supply again > > (setq-local sql-will-prompt-password nil)) > > > > That should get you close without too much difficulty. Of course, it > requires a > > that a password-prompt-regexp feature is defined for the sql product and > that the > > sql-comint function defines a buffer-local flag > `sql-will-prompt-for-password' in > > it is deferring to stdin. > > > > The other solution would involve modifying comint to call a hook if set > to supply > > a password or nil. This would probably be a simpler change but may get > more > > broader attention. When the hook function is not set or returns nil then > do the > > default behavior of calling `comint-send-invisible' otherwise just send > the password > > > > There are some edge cases here, but this hopefully helps. Also, > obviously, test cases > > are needed given that if this breaks, we break the sql interactive world! > > > > -- > > MICHAEL@MAUGER.COM // FSF and EFF member // GNU Emacs sql.el maintainer > --0000000000002eba8a0599cb14a2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Any input on this?=C2=A0 I believe this fixes the issue, a= nd would prefer to revise this while I still remember the details.=C2=A0 I&= #39;m happy to submit this as well.

On Mon, Nov 11, 2019 at 12:31 AM Andrew = Hyatt <ahyatt@gmail.com> wrot= e:

I've simplified an implementation along the lines you suggest, and
tested it via ert. I'm attaching the latest version of the patch.
Please let me know what you think.



Michael Mauger <mmauger@protonmail.com> writes:

> On Saturday, November 2, 2019 1:10 AM, Andrew Hyatt <ahyatt@gmail.com> wrote:
>
>> Michael Mauger mmauger@protonmail.com writes:
>>
>> > On Sunday, October 20, 2019 8:56 PM, Andrew Hyatt ahyatt@gmail.com wrote:
>> >
>>
>> Your advice is good, but following it led me to some complexity I = can't
>> seem to get away from. Perhaps you have some insight, so let me ex= plain.
>> The issue is that, yes, I can not advise the comint function. Howe= ver,
>> if I supply my own function, then I have to remove the
>> comint-watch-for-password-prompt, supply my own function, then res= tore
>> it when the user has entered their password (so it can handle subs= equent
>> password entries). This juggling of the normal
>> comint-watch-for-password-prompt method, plus the fact that we bas= ically
>> have to reimplement part of it, gives me pause - I think it's = probably
>> too hacky a solution.
>>
>> There's a few ways out. We could introduce a variable used in<= br> >> sql-product-alist that tells SQL not to prompt for a password beca= use
>> the db will just get it via the comint password function. That wou= ld
>> probably work well, but it wouldn't store the sql-password at = all, that
>> variable would be unused. Maybe that's OK, maybe not - I don&#= 39;t have a
>> good sense for it.
>>
>> Or, we could make this auto-password-supplying per-buffer a part o= f
>> comint itself. That would widen the scope of the fix, but it would=
>> probably be the best of both functionality and simplicity.
>>
>> What do you think?
>>
>
> I totally understand the complexity, but I don't think it has too = be too
> complicated to address.
>
> First the sql.el only solution: If the sql-comint function decides to = pass
> the password via stdin then it can set a buffer-local flag indicating = this
> and then replace `coming-watch-for-password-prompt' on the
> `comint-output-filter-functions' list with the sql version of the = function.
> The sql password function would be something along the lines of:
>
>=C2=A0 =C2=A0 =C2=A0;; TOTALLY NOT TESTED
>=C2=A0 =C2=A0 =C2=A0(defun sql-watch-for-password-prompt (string)
>=C2=A0 =C2=A0 =C2=A0 =C2=A0"blah blah ;)"
>=C2=A0 =C2=A0 =C2=A0 =C2=A0(if sql-will-prompt-for-password
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0;; (based on comint-watch-for-= password-prompt)=C2=A0 vvv
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(when (let ((case-fold-search = t))
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(s= tring-match (or (sql-get-product-feature sql-product 'password-prompt-r= egexp string)
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0comint-passwo= rd-prompt-regexp)))
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(when (string-match &qu= ot;^[ \n\r\t\v\f\b\a]+" string)
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(setq string (re= place-match "" t t string)))
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(let ((comint--prompt-r= ecursion-depth (1+ comint--prompt-recursion-depth)))
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(if (> comint= --prompt-recursion-depth 10)
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(m= essage "Password prompt recursion too deep")
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0;;; ^^^ >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0;;; autom= agically provide the password
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(let ((pr= oc (get-buffer-process (current-buffer))))
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(w= hen proc
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0(funcall comint-input-sender proc sql-password))))))
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0;; Back to default behavior
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(comint-watch-for-password-prompt str= ing))
>=C2=A0 =C2=A0 =C2=A0 =C2=A0;; Make sure we don't supply again
>=C2=A0 =C2=A0 =C2=A0 =C2=A0(setq-local sql-will-prompt-password nil)) >
> That should get you close without too much difficulty. Of course, it r= equires a
> that a password-prompt-regexp feature is defined for the sql product a= nd that the
> sql-comint function defines a buffer-local flag `sql-will-prompt-for-p= assword' in
> it is deferring to stdin.
>
> The other solution would involve modifying comint to call a hook if se= t to supply
> a password or nil. This would probably be a simpler change but may get= more
> broader attention. When the hook function is not set or returns nil th= en do the
> default behavior of calling `comint-send-invisible' otherwise just= send the password
>
> There are some edge cases here, but this hopefully helps. Also, obviou= sly, test cases
> are needed given that if this breaks, we break the sql interactive wor= ld!
>
> --
> MICHAEL@MAUGER= .COM // FSF and EFF member // GNU Emacs sql.el maintainer
--0000000000002eba8a0599cb14a2-- From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 16 10:12:45 2019 Received: (at 8427) by debbugs.gnu.org; 16 Dec 2019 15:12:45 +0000 Received: from localhost ([127.0.0.1]:40207 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1igs3A-0000Cl-Us for submit@debbugs.gnu.org; Mon, 16 Dec 2019 10:12:45 -0500 Received: from mail-40134.protonmail.ch ([185.70.40.134]:41955) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1igs37-0000CV-Pt for 8427@debbugs.gnu.org; Mon, 16 Dec 2019 10:12:43 -0500 Date: Mon, 16 Dec 2019 15:12:32 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1576509155; bh=IVYdQmvLq/SmtQW7LBso8iVuKTHS67DRJkorRHfPX6g=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=yUacXlCvtCp9LcPESrtkyYzlQcR9mmIPq0EYQ/7IcJ8y0IcHxrM8J6RRo2/zVxKin 3kjIXfNwT7gU8He56lbfXQ4Bez+1yDvZzLe2AD5ex6gAwGNyzXr/42+n5+nvstVWNm ZZjThor33LfHhflictmD1Ax5NdVe+EoYtUx9mhxI= To: ahyatt@gmail.com From: Michael Mauger Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing Message-ID: In-Reply-To: References: <-DPnoQRPO3mztTMZP0CLEkVHEueQfRbf1NL2NMBa_alnqjzctP5kLNyD-Gd_yioQqTu-QiEXfLGzidBeSrX0jY_-tlyrBEnMU5Mo5febRng=@protonmail.com> Feedback-ID: b6CpL0MxcIA6fpHRkn3ZHzWS0Hoqxbtv_SrHfEzC9D85cLvnRsVk4rKaAOJUw48iy20W0W1VX4whjBYFluIX0w==:Ext:ProtonMail MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_904ccbed8c49f0e698ed310ae944e3de" X-Spam-Status: No, score=-1.2 required=7.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.protonmail.ch X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 8427 Cc: 8427@debbugs.gnu.org, stefan@marxist.se X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Michael Mauger Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) This is a multi-part message in MIME format. --b1_904ccbed8c49f0e698ed310ae944e3de Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 LS0tLS0tLS0gT3JpZ2luYWwgTWVzc2FnZSAtLS0tLS0tLQpPbiBEZWMgMTUsIDIwMTksIDExOjU5 IFBNLCBBbmRyZXcgSHlhdHQgPCBhaHlhdHRAZ21haWwuY29tPiB3cm90ZToKPiBBbnkgaW5wdXQg b24gdGhpcz8gIEkgYmVsaWV2ZSB0aGlzIGZpeGVzIHRoZSBpc3N1ZSwgYW5kIHdvdWxkIHByZWZl ciB0bwo+IHJldmlzZSB0aGlzIHdoaWxlIEkgc3RpbGwgcmVtZW1iZXIgdGhlIGRldGFpbHMuICBJ J20gaGFwcHkgdG8gc3VibWl0IHRoaXMKPiBhcyB3ZWxsLgoKPj4gT24gTW9uLCBOb3YgMTEsIDIw MTkgYXQgMTI6MzEgQU0gQW5kcmV3IEh5YXR0IDxhaHlhdHRAZ21haWwuY29tPiB3cm90ZToKCj4+ IEkndmUgc2ltcGxpZmllZCBhbiBpbXBsZW1lbnRhdGlvbiBhbG9uZyB0aGUgbGluZXMgeW91IHN1 Z2dlc3QsIGFuZAo+PiB0ZXN0ZWQgaXQgdmlhIGVydC4gSSdtIGF0dGFjaGluZyB0aGUgbGF0ZXN0 IHZlcnNpb24gb2YgdGhlIHBhdGNoLgo+PiBQbGVhc2UgbGV0IG1lIGtub3cgd2hhdCB5b3UgdGhp bmsuCgpJIGFwb2xvZ2lzZSBmb3Igbm90IGdldHRpbmcgYmFjayB0byB5b3Ugc29vbmVyLS0gYSBu ZXcgam9iIGFuZCB0aGUgaG9saWRheXMgaGF2ZSBjb25zdW1lZCBtdWNoIG9mIG15IHRpbWUuIE15 IGluaXRpYWwgbG9vayBhdCB5b3VyIGxhdGVzdCBwYXRjaCByYWlzZWQgc29tZSBjb25jZXJucyBi dXQgSSBoYXZlbid0IGRvbmUgYW55IGRlZXBlciBsb29rIHlldC4gSSdsbCB0cnkgdG8gdGFrZSBh IGxvb2sgaW4gdGhlIG5leHQgd2VlayBvciBzby4gSWYgeW91IGRvbid0IGhlYXIgYmFjayBmcm9t IG1lIGFmdGVyIHRoZSBuZXcgeWVhciwgdGhlbiBsZXQncyBtZXJnZSBpdCBhbmQgd2UnbGwgYWRk cmVzcyB0aGUgaXNzdWVzIGZyb20gdGhlcmUuIChJIGtub3cgSSBtZW50aW9uZWQgdGhpcyBiZWZv cmUgYnV0IEkgZG9uJ3QgcmVtZW1iZXIgdGhlIHN0YXR1cy0tIGRvIHlvdSBoYXZlIHlvdXIgY29w eXJpZ2h0IHBhcGVyd29yayBhbGwgc2V0IGZvciBFbWFjcyBjb250cmlidXRpb25zPykKCkkgdGhp bmsgbXkgdGhvdWdodCB3YXMgdGhhdCBpdCBtYXkgbWFrZSBzZW5zZSB0byBwdXNoIHNvbWUgb2Yg dGhpcyBiYWNrIG9udG8gY29taW50IHJhdGhlciB0aGFuIGEgY29udm9sdXRlZCBzcWwtb25seSBz b2x1dGlvbiwgYnV0IHRoYXQgbWF5IHJlcXVpcmUgc29tZSBtb3JlIG5lZ290aWF0aW9uLiBBcyBJ IGxvb2tlZCBhdCBpdCwgdXNpbmcgYSBjb21pbnQgaG9vayBtaWdodCBzZXJ2ZSBhdXRoIHNlcnZp Y2VzIGFzIHdlbGwuCgpTb3JyeSBhYm91dCB0aGUgc2lsZW5jZSwgeW91IGhhdmUgbm90IGJlZW4g Zm9yZ290dGVuIGp1c3QgYnVyaWVkIGluIGVuZC1vZi15ZWFyIHR1cm1vaWwgOikKCi0tCk1JQ0hB RUxATUFVR0VSLkNPTSAvLyBGU0YgYW5kIEVGRiBtZW1iZXIgLy8gR05VIEVtYWNzIHNxbC5lbCBt YWludGFpbmVy --b1_904ccbed8c49f0e698ed310ae944e3de Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: base64 PGJyPi0tLS0tLS0tIE9yaWdpbmFsIE1lc3NhZ2UgLS0tLS0tLS08YnI+T24gRGVjIDE1LCAyMDE5 LCAxMTo1OSBQTSwgQW5kcmV3IEh5YXR0ICZsdDsgYWh5YXR0QGdtYWlsLmNvbSZndDsgd3JvdGU6 PGJyPiZndDsgQW55IGlucHV0IG9uIHRoaXM/wqAgSSBiZWxpZXZlIHRoaXMgZml4ZXMgdGhlIGlz c3VlLCBhbmQgd291bGQgcHJlZmVyIHRvPGJyPiZndDsgcmV2aXNlIHRoaXMgd2hpbGUgSSBzdGls bCByZW1lbWJlciB0aGUgZGV0YWlscy7CoCBJJ20gaGFwcHkgdG8gc3VibWl0IHRoaXM8YnI+Jmd0 OyBhcyB3ZWxsLjxicj48YnI+Jmd0OyZndDsgT24gTW9uLCBOb3YgMTEsIDIwMTkgYXQgMTI6MzEg QU0gQW5kcmV3IEh5YXR0ICZsdDthaHlhdHRAZ21haWwuY29tJmd0OyB3cm90ZTo8YnI+PGJyPiZn dDsmZ3Q7IEkndmUgc2ltcGxpZmllZCBhbiBpbXBsZW1lbnRhdGlvbiBhbG9uZyB0aGUgbGluZXMg eW91IHN1Z2dlc3QsIGFuZDxicj4mZ3Q7Jmd0OyB0ZXN0ZWQgaXQgdmlhIGVydC4gSSdtIGF0dGFj aGluZyB0aGUgbGF0ZXN0IHZlcnNpb24gb2YgdGhlIHBhdGNoLjxicj4mZ3Q7Jmd0OyBQbGVhc2Ug bGV0IG1lIGtub3cgd2hhdCB5b3UgdGhpbmsuPGJyPjxicj5JIGFwb2xvZ2lzZSBmb3Igbm90IGdl dHRpbmcgYmFjayB0byB5b3Ugc29vbmVyLS0gYSBuZXcgam9iIGFuZCB0aGUgaG9saWRheXMgaGF2 ZSBjb25zdW1lZCBtdWNoIG9mIG15IHRpbWUuIE15IGluaXRpYWwgbG9vayBhdCB5b3VyIGxhdGVz dCBwYXRjaCByYWlzZWQgc29tZSBjb25jZXJucyBidXQgSSBoYXZlbid0IGRvbmUgYW55IGRlZXBl ciBsb29rIHlldC4gSSdsbCB0cnkgdG8gdGFrZSBhIGxvb2sgaW4gdGhlIG5leHQgd2VlayBvciBz by4gSWYgeW91IGRvbid0IGhlYXIgYmFjayBmcm9tIG1lIGFmdGVyIHRoZSBuZXcgeWVhciwgdGhl biBsZXQncyBtZXJnZSBpdCBhbmQgd2UnbGwgYWRkcmVzcyB0aGUgaXNzdWVzIGZyb20gdGhlcmUu IChJIGtub3cgSSBtZW50aW9uZWQgdGhpcyBiZWZvcmUgYnV0IEkgZG9uJ3QgcmVtZW1iZXIgdGhl IHN0YXR1cy0tIGRvIHlvdSBoYXZlIHlvdXIgY29weXJpZ2h0IHBhcGVyd29yayBhbGwgc2V0IGZv ciBFbWFjcyBjb250cmlidXRpb25zPyk8YnI+PGJyPkkgdGhpbmsgbXkgdGhvdWdodCB3YXMgdGhh dCBpdCBtYXkgbWFrZSBzZW5zZSB0byBwdXNoIHNvbWUgb2YgdGhpcyBiYWNrIG9udG8gY29taW50 IHJhdGhlciB0aGFuIGEgY29udm9sdXRlZCBzcWwtb25seSBzb2x1dGlvbiwgYnV0IHRoYXQgbWF5 IHJlcXVpcmUgc29tZSBtb3JlIG5lZ290aWF0aW9uLiBBcyBJIGxvb2tlZCBhdCBpdCwgdXNpbmcg YSBjb21pbnQgaG9vayBtaWdodCBzZXJ2ZSBhdXRoIHNlcnZpY2VzIGFzIHdlbGwuPGJyPjxicj5T b3JyeSBhYm91dCB0aGUgc2lsZW5jZSwgeW91IGhhdmUgbm90IGJlZW4gZm9yZ290dGVuIGp1c3Qg YnVyaWVkIGluIGVuZC1vZi15ZWFyIHR1cm1vaWwgOik8YnI+PGJyPi0tIDxicj5NSUNIQUVMQE1B VUdFUi5DT00gLy8gRlNGIGFuZCBFRkYgbWVtYmVyIC8vIEdOVSBFbWFjcyBzcWwuZWwgbWFpbnRh aW5lcg== --b1_904ccbed8c49f0e698ed310ae944e3de-- From debbugs-submit-bounces@debbugs.gnu.org Wed Dec 18 01:15:34 2019 Received: (at 8427) by debbugs.gnu.org; 18 Dec 2019 06:15:34 +0000 Received: from localhost ([127.0.0.1]:42599 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ihScQ-0003O0-0v for submit@debbugs.gnu.org; Wed, 18 Dec 2019 01:15:34 -0500 Received: from mail-qt1-f177.google.com ([209.85.160.177]:44924) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ihScO-0003No-9Y for 8427@debbugs.gnu.org; Wed, 18 Dec 2019 01:15:32 -0500 Received: by mail-qt1-f177.google.com with SMTP id t3so1055685qtr.11 for <8427@debbugs.gnu.org>; Tue, 17 Dec 2019 22:15:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8srCgugd4O/WbstqQphYa1mfx7fzYjAORSdeJu5TyFo=; b=K/7eGleK/tzJbiWO6HUvJdDVtE50LNOzI0eg/H90zza5RByR2o/8qvY0J6AmUAdEq0 obqisvJ3HFrxBXip8Y9EnNMlQtbrtHWX5IiSx8wxdidLZKv0VIuPbpDQTQFyygRMjLgS Pyi/3J4UEDDO9uZ1Qv12S6UQQEt0crOn8XeIuk68zCvGRSIsXVZs1IO6ebUPW9F0L8sw oCI3DWvktzGimCqEfSGzoC5QvopBnQFzI0GoBxaUhBvdci/Qsp9S0Kv3e4cVP4rJ9Uks 9Ytx0WaQKhAlXlhHAlWFnGtVVBDFc1lRjNIRmL39zabGHevjay3MwV6/fzyoqdCprkVs TlJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8srCgugd4O/WbstqQphYa1mfx7fzYjAORSdeJu5TyFo=; b=Pjbq5ZCU6mi1RT8hQ3tBRv1z0aDuPM7LG0Y9FLyok/vyt0BeC6fFL09svebQlCJKVJ 0ngSrUMYE4Ld5CDaUnHHJCBsJnD9nZuAcZCDOlVcrgndutSbJDYqHYR8fOFGoLgc1uRe 7Hj65WD8Gq591NRFz5eiz6v12EvHsTWA5tj9Ej2qpHM8MtB8r0XP/mjsDDiChcEz8RuR 8U53ZhBVBrH8hrlccppGZa24uaZ8/916pV0BClckbSj6juCpzr+PLRQ3FC72vJGPrGJo K6R1CAZXmpqtJBeugrGQkO0nsuxr+8Ew6feRG9L5EU2++MJiE9JMfPq5zdlLyphoooAQ Kp7Q== X-Gm-Message-State: APjAAAXwzZ5F6Hn7XkoUEdycs16uo2ux3UQ4fXegqsLrWY54SYd6UPJy Z4zvukisqdggdxGPaoMAEHxrYz394sRp3xbUfc4= X-Google-Smtp-Source: APXvYqxLC/+5LHiK58U/dPflUW8aF75bwCKzOiT1bIwEFvvwk5HSOL+38eFyS6MBm08Tx5nz58q1QixUoY3flJb5YKU= X-Received: by 2002:aed:24c7:: with SMTP id u7mr761591qtc.335.1576649726684; Tue, 17 Dec 2019 22:15:26 -0800 (PST) MIME-Version: 1.0 References: <-DPnoQRPO3mztTMZP0CLEkVHEueQfRbf1NL2NMBa_alnqjzctP5kLNyD-Gd_yioQqTu-QiEXfLGzidBeSrX0jY_-tlyrBEnMU5Mo5febRng=@protonmail.com> In-Reply-To: From: Andrew Hyatt Date: Wed, 18 Dec 2019 01:15:15 -0500 Message-ID: Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing To: Michael Mauger Content-Type: multipart/alternative; boundary="000000000000e4f1730599f45ee2" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 8427 Cc: 8427@debbugs.gnu.org, Stefan Kangas X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --000000000000e4f1730599f45ee2 Content-Type: text/plain; charset="UTF-8" Hi Michael, I'm happy to merge this in. I have FSF paperwork done and already have commit access. However, I agree with you about pushing logic into comint. As I mentioned before, it would help simplify the logic here. It might be best to not check this in and see what an alternate solution might be first, based on comint. I can work on that soon and get a patch out in the next week or so. On Mon, Dec 16, 2019 at 10:12 AM Michael Mauger wrote: > > -------- Original Message -------- > On Dec 15, 2019, 11:59 PM, Andrew Hyatt < ahyatt@gmail.com> wrote: > > Any input on this? I believe this fixes the issue, and would prefer to > > revise this while I still remember the details. I'm happy to submit this > > as well. > > >> On Mon, Nov 11, 2019 at 12:31 AM Andrew Hyatt wrote: > > >> I've simplified an implementation along the lines you suggest, and > >> tested it via ert. I'm attaching the latest version of the patch. > >> Please let me know what you think. > > I apologise for not getting back to you sooner-- a new job and the > holidays have consumed much of my time. My initial look at your latest > patch raised some concerns but I haven't done any deeper look yet. I'll try > to take a look in the next week or so. If you don't hear back from me after > the new year, then let's merge it and we'll address the issues from there. > (I know I mentioned this before but I don't remember the status-- do you > have your copyright paperwork all set for Emacs contributions?) > > I think my thought was that it may make sense to push some of this back > onto comint rather than a convoluted sql-only solution, but that may > require some more negotiation. As I looked at it, using a comint hook might > serve auth services as well. > > Sorry about the silence, you have not been forgotten just buried in > end-of-year turmoil :) > > -- > MICHAEL@MAUGER.COM // FSF and EFF member // GNU Emacs sql.el maintainer --000000000000e4f1730599f45ee2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Michael,

I'm happy to merge this= in.=C2=A0 I have FSF paperwork done and already have commit access.
<= div>
However, I agree with you about pushing logic into comin= t.=C2=A0 As I mentioned before, it would help simplify the logic here.=C2= =A0 It might be best to not check this in and see what an alternate solutio= n=C2=A0might be first, based on comint.=C2=A0 I can work on that soon and g= et a patch out in the next week or so.

On Mon, Dec 16, 2019 at 10:12 A= M Michael Mauger <mmauger@prot= onmail.com> wrote:

-------- Original Message --------
On Dec 15, 2019, 11:59= PM, Andrew Hyatt < ahyatt@gmail.com> wrote:
> Any input on this?=C2=A0 I believ= e this fixes the issue, and would prefer to
> revise this while I sti= ll remember the details.=C2=A0 I'm happy to submit this
> as well= .

>> On Mon, Nov 11, 2019 at 12:31 AM Andrew Hyatt <ahyatt@gmail.com> wro= te:

>> I've simplified an implementation along the lines y= ou suggest, and
>> tested it via ert. I'm attaching the latest= version of the patch.
>> Please let me know what you think.
I apologise for not getting back to you sooner-- a new job and the holida= ys have consumed much of my time. My initial look at your latest patch rais= ed some concerns but I haven't done any deeper look yet. I'll try t= o take a look in the next week or so. If you don't hear back from me af= ter the new year, then let's merge it and we'll address the issues = from there. (I know I mentioned this before but I don't remember the st= atus-- do you have your copyright paperwork all set for Emacs contributions= ?)

I think my thought was that it may make sense to push some of thi= s back onto comint rather than a convoluted sql-only solution, but that may= require some more negotiation. As I looked at it, using a comint hook migh= t serve auth services as well.

Sorry about the silence, you have not= been forgotten just buried in end-of-year turmoil :)

--
MICHAEL@MAUGER.COM // = FSF and EFF member // GNU Emacs sql.el maintainer
--000000000000e4f1730599f45ee2-- From debbugs-submit-bounces@debbugs.gnu.org Wed Dec 18 07:45:42 2019 Received: (at 8427) by debbugs.gnu.org; 18 Dec 2019 12:45:42 +0000 Received: from localhost ([127.0.0.1]:42740 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ihYhy-00008K-Go for submit@debbugs.gnu.org; Wed, 18 Dec 2019 07:45:42 -0500 Received: from mail2.protonmail.ch ([185.70.40.22]:38445) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ihYhw-000086-Ci for 8427@debbugs.gnu.org; Wed, 18 Dec 2019 07:45:41 -0500 Date: Wed, 18 Dec 2019 12:45:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1576673133; bh=yU/e2uqvY614bwKmlIadCus/sm9O3phknX7uD/0UTXA=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=dTa6IAXMWY4lhOt4kSKrdzMz2vkI9Dcf503fsMX5HrhzHp/kgoWev+zxODqgQi/f7 B/ETPdDgW3yBzgkbdStTMQi3MgM+9eVXBTHw/0s958AGrIo0iLGMOnpcMOgMjpY0Dq F17XjtHJ43r2cDKV4l4Ybwt9OCTun0pFnlPI55Qc= To: Andrew Hyatt From: Michael Mauger Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing Message-ID: In-Reply-To: References: <-DPnoQRPO3mztTMZP0CLEkVHEueQfRbf1NL2NMBa_alnqjzctP5kLNyD-Gd_yioQqTu-QiEXfLGzidBeSrX0jY_-tlyrBEnMU5Mo5febRng=@protonmail.com> Feedback-ID: b6CpL0MxcIA6fpHRkn3ZHzWS0Hoqxbtv_SrHfEzC9D85cLvnRsVk4rKaAOJUw48iy20W0W1VX4whjBYFluIX0w==:Ext:ProtonMail MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.2 required=7.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.protonmail.ch X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 8427 Cc: "8427@debbugs.gnu.org" <8427@debbugs.gnu.org>, Stefan Kangas X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Michael Mauger Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me= ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 On Wednesday, December 18, 2019 6:15 AM, Andrew Hyatt wr= ote: > Hi Michael, > > I'm happy to merge this in.=C2=A0 I have FSF paperwork done and already h= ave commit access. > > However, I agree with you about pushing logic into comint.=C2=A0 As I men= tioned before, it would help simplify the logic here.=C2=A0 It might be bes= t to not check this in and see what an alternate solution=C2=A0might be fir= st, based on comint.=C2=A0 I can work on that soon and get a patch out in t= he next week or so. > > On Mon, Dec 16, 2019 at 10:12 AM Michael Mauger = wrote: > > > -------- Original Message -------- > > On Dec 15, 2019, 11:59 PM, Andrew Hyatt < ahyatt@gmail.com> wrote: > > > Any input on this?=C2=A0 I believe this fixes the issue, and would pr= efer to > > > revise this while I still remember the details.=C2=A0 I'm happy to su= bmit this > > > as well. > > I had a chance to look at this last night; I've had a couple of days away f= rom home and took advantage of it. Below is my first take on the changes to= comint.el needed to add a hook that we could use in sql.el to supply the p= assword. I think we ought to run this by emacs-devel and Eli before merging= it. *** /usr/local/share/emacs/27.0.50/lisp/comint.el=092019-12-18 07:26:14.268= 274791 -0500 --- /home/michael/my-config/user-lisp/override/comint.el=092019-12-17 23:10= :08.433852481 -0500 *************** *** 2356,2361 **** --- 2356,2368 ---- ;; saved -- typically passwords to ftp, telnet, or somesuch. ;; Just enter m-x comint-send-invisible and type in your line. + (defvar comint-password-function nil + "Abnormal hook run when prompted for a password. + This function gets one argument, a string containing the prompt. + It may return a string containing the password, or nil if normal + password prompting should occur.") + (put 'comint-password-function 'permanent-local t) + (defun comint-send-invisible (&optional prompt) "Read a string without echoing. Then send it to the process running in the current buffer. *************** *** 2370,2377 **** =09 (format "(In buffer %s) " =09=09 (current-buffer))))) (if proc ! =09(let ((str (read-passwd (concat prefix ! =09=09=09=09=09(or prompt "Non-echoed text: "))))) =09 (if (stringp str) =09 (progn =09=09(comint-snapshot-last-prompt) --- 2377,2389 ---- =09 (format "(In buffer %s) " =09=09 (current-buffer))))) (if proc ! =09(let ((prefix-prompt (concat prefix ! =09=09=09=09 (or prompt "Non-echoed text: "))) ! =09 str) ! =09 (when comint-password-function ! =09 (setq str (funcall comint-password-function prefix-prompt))) ! =09 (unless str ! =09 (setq str (read-passwd prefix-prompt))) =09 (if (stringp str) =09 (progn =09=09(comint-snapshot-last-prompt) Let me know your thoughts -- MICHAEL@MAUGER.COM // FSF and EFF member // GNU Emacs sql.el maintainer From debbugs-submit-bounces@debbugs.gnu.org Wed Dec 18 11:57:52 2019 Received: (at 8427) by debbugs.gnu.org; 18 Dec 2019 16:57:52 +0000 Received: from localhost ([127.0.0.1]:43853 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ihce0-0006cd-Ev for submit@debbugs.gnu.org; Wed, 18 Dec 2019 11:57:52 -0500 Received: from eggs.gnu.org ([209.51.188.92]:53878) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ihcdy-0006cR-Jn for 8427@debbugs.gnu.org; Wed, 18 Dec 2019 11:57:50 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:46162) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ihcds-000115-VK; Wed, 18 Dec 2019 11:57:45 -0500 Received: from [176.228.60.248] (port=2713 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1ihcdr-0002CI-Rw; Wed, 18 Dec 2019 11:57:44 -0500 Date: Wed, 18 Dec 2019 18:57:32 +0200 Message-Id: <83r211372b.fsf@gnu.org> From: Eli Zaretskii To: Michael Mauger In-reply-to: (bug-gnu-emacs@gnu.org) Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing References: <-DPnoQRPO3mztTMZP0CLEkVHEueQfRbf1NL2NMBa_alnqjzctP5kLNyD-Gd_yioQqTu-QiEXfLGzidBeSrX0jY_-tlyrBEnMU5Mo5febRng=@protonmail.com> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 8427 Cc: ahyatt@gmail.com, 8427@debbugs.gnu.org, stefan@marxist.se X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > Cc: "8427@debbugs.gnu.org" <8427@debbugs.gnu.org>, > Stefan Kangas > Date: Wed, 18 Dec 2019 12:45:27 +0000 > From: Michael Mauger via "Bug reports for GNU Emacs, > the Swiss army knife of text editors" > > I had a chance to look at this last night; I've had a couple of days away from home and took advantage of it. Below is my first take on the changes to comint.el needed to add a hook that we could use in sql.el to supply the password. I think we ought to run this by emacs-devel and Eli before merging it. I'm okay with adding this hook, but please mention this hook and its rationale in NEWS. Please also feel free to ask on emacs-devel for comments, if you want. Thanks. From debbugs-submit-bounces@debbugs.gnu.org Wed Dec 18 12:52:58 2019 Received: (at 8427) by debbugs.gnu.org; 18 Dec 2019 17:52:58 +0000 Received: from localhost ([127.0.0.1]:43881 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ihdVK-00083u-Aq for submit@debbugs.gnu.org; Wed, 18 Dec 2019 12:52:58 -0500 Received: from mail-40134.protonmail.ch ([185.70.40.134]:26421) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ihdVH-00083f-Py for 8427@debbugs.gnu.org; Wed, 18 Dec 2019 12:52:56 -0500 Date: Wed, 18 Dec 2019 17:52:44 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1576691569; bh=I+ivQ4ChqhHF1t6RO3uhgYrjWZbl9lgtxGFWXeNbGvc=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=tHW5uNIxfgUaVgJx6Tgj6DSPj/6nJYo5bREnucQ+ut+83NtUdmXh82V5qpE8JySuL t6XjKMgH18rOLzf1+5K67PG28esHPrsWFo9jTwdtDHoQPmXsCZUviaVCV1sKk9rScQ Do+2Pi/A0NBX1Z84jldSrnvnnLo0Jpy3MC5tucvU= To: Eli Zaretskii From: Michael Mauger Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing Message-ID: In-Reply-To: <83r211372b.fsf@gnu.org> References: <83r211372b.fsf@gnu.org> Feedback-ID: b6CpL0MxcIA6fpHRkn3ZHzWS0Hoqxbtv_SrHfEzC9D85cLvnRsVk4rKaAOJUw48iy20W0W1VX4whjBYFluIX0w==:Ext:ProtonMail MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.2 required=7.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.protonmail.ch X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 8427 Cc: "ahyatt@gmail.com" , "8427@debbugs.gnu.org" <8427@debbugs.gnu.org>, "stefan@marxist.se" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Michael Mauger Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me= ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 On Wednesday, December 18, 2019 11:57 AM, Eli Zaretskii wrot= e: > On Wed, 18 Dec 2019 12:45:27 +0000, Michael Mauger wrote: > > Below is my first > > take on the changes to comint.el needed to add a hook that we > > could use in sql.el to supply the password. I think we ought > > to run this by emacs-devel and Eli before merging it. > > I'm okay with adding this hook, but please mention this hook and its > rationale in NEWS. > > Please also feel free to ask on emacs-devel for comments, if you want. > > Thanks. I'll put together the patch for comint.el and NEWS and commit it. Andrew, you can then simplify your sql.el patches appropriately along with corresponding NEWS entry and we can review before you commit. Thanks! -- MICHAEL@MAUGER.COM // FSF and EFF member // GNU Emacs sql.el maintainer From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 30 10:12:12 2019 Received: (at 8427) by debbugs.gnu.org; 30 Dec 2019 15:12:12 +0000 Received: from localhost ([127.0.0.1]:33188 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ilwiK-0002bm-DN for submit@debbugs.gnu.org; Mon, 30 Dec 2019 10:12:12 -0500 Received: from mail-qk1-f173.google.com ([209.85.222.173]:33835) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ilwiJ-0002ba-4Q for 8427@debbugs.gnu.org; Mon, 30 Dec 2019 10:12:11 -0500 Received: by mail-qk1-f173.google.com with SMTP id j9so26831645qkk.1 for <8427@debbugs.gnu.org>; Mon, 30 Dec 2019 07:12:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=IJJOYTM0mHiT3IJPuTCb42I2BLUw1x9myHLGeGLbLLY=; b=c+hJJ9T+n0DWyCCpp5SEeMF34YDXiLkVB+wa4kwiagzO0kodLdwLhCBZO9Rz8hryTI RQJH7CFniDeTZ5b3AygQ4Tq64IXNhUcaP/xfmGIbkNblpyALEj/vnRDJOvJuTbeV3nIG WLiW35F/T/BFsVuFjMDj+wHYY9xcsf66geWrf3NUTZhQKkxQGKRIGQa55JWvtEAf3ESf RrCJ1XiSS47S3vQWkVCNi9sOFzGlaHv8EoqV3Co/Kua6/mHJtuwBAMkyjdD1YMXB7YSf Z8mJWJmMUCMM2aSyG6rnHAgQSTXI8iF1gjLeWntjaO5NUX9aJofwR53EYEY0h2iqo2dI q6cA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=IJJOYTM0mHiT3IJPuTCb42I2BLUw1x9myHLGeGLbLLY=; b=bbEsw0v3mO8FPYUINuMLq45GT9AvdzRE1Duh5gyZyoa+HtZgeYWV1Y1WFurLpil0PG JtB1zJG9/NXhk7RS3F5W35hvZ0N5Gpt7pflJW53gszsJ0DjEswZWE9f6Br6ncCZHWnui 0WKEKNyitUpMNFuU80rdhKhUzsHcX2UfYjb+LCEyqFTBX1f04078YBhWDaECH0uTofgx rYeiVkPgkjHdbFoiuMGYBqnm2rLE5GW8xZWc8kzADA1grXqwqvsTmvZhjhg0B/oxTFXW Hukddojh8EYsd1GteYxBSSTkns63v6wXvef7ia0L1c+ckgX3sKj9+Ox7pKMQqCNyfUC0 UtIQ== X-Gm-Message-State: APjAAAXK2YBqvz0g5oxyaIwZlkaVd4DVaa1kwNd98wRLT/uXbIz6SVwA P5cIcNF3M6ntG7OUUj2khOQ= X-Google-Smtp-Source: APXvYqxQhmWxAgeNIGF1Pk0webVYN04oJGbwdCWZqVuJdU5fV3FkNd2rZQDpFyPgjO+Gx7W+LARdGA== X-Received: by 2002:ae9:e702:: with SMTP id m2mr54582139qka.208.1577718725452; Mon, 30 Dec 2019 07:12:05 -0800 (PST) Received: from ahyatt-macbookpro6.roam.corp.google.com (pool-74-101-146-201.nycmny.fios.verizon.net. [74.101.146.201]) by smtp.gmail.com with ESMTPSA id d26sm12430204qka.28.2019.12.30.07.12.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Dec 2019 07:12:04 -0800 (PST) From: Andrew Hyatt To: Michael Mauger Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing References: <83r211372b.fsf@gnu.org> Date: Mon, 30 Dec 2019 10:11:54 -0500 In-Reply-To: (Michael Mauger's message of "Wed, 18 Dec 2019 17:52:44 +0000") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (darwin) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 8427 Cc: Eli Zaretskii , "8427@debbugs.gnu.org" <8427@debbugs.gnu.org>, "stefan@marxist.se" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain Thank you, your new comint changes make this change much simpler. I'm attaching the new patch, please take a look and let me know if this is reasonable to submit. --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-Enable-sql-passwords-to-be-sent-in-process-when-poss.patch Content-Description: bugfix for 8427, using new comint hook >From cbca5e8b7be1fd1a10773ae0b22e6373e705007a Mon Sep 17 00:00:00 2001 From: Andrew Hyatt Date: Mon, 30 Dec 2019 10:09:23 -0500 Subject: [PATCH] Enable sql passwords to be sent in-process when possible. * lisp/progmodes/sql.el (sql-comint, sql-comint-mysql): This is controlled by the sql-product variable :password-in-comint. When true, on the first password prompt, send argument to signal to the SQL process to read the password inside the process. This removes the slight chance that someone can spy on the password from ps or via other methods. * test/lisp/progmodes/sql-tests.el: Testing of new password comint hook. --- etc/NEWS | 6 ++++++ lisp/progmodes/sql.el | 15 +++++++++++++++ test/lisp/progmodes/sql-tests.el | 10 ++++++++++ 3 files changed, 31 insertions(+) diff --git a/etc/NEWS b/etc/NEWS index e630bb71fe..06526fb1ae 100644 --- a/etc/NEWS +++ b/etc/NEWS @@ -1231,6 +1231,12 @@ default values. If you have existing customizations to these variables, you should make sure that the new default entry is included. +--- +**** sql now supports sending of passwords in-process. +To improve security, if a sql product has ':password-in-comint' set to +true, a password supplied via the minibuffer will be sent in-process, +as opposed to via the command-line. + --- *** Connection Wallet Database passwords can now by stored in NETRC or JSON data files that diff --git a/lisp/progmodes/sql.el b/lisp/progmodes/sql.el index 7a51739c5f..979d311064 100644 --- a/lisp/progmodes/sql.el +++ b/lisp/progmodes/sql.el @@ -4733,6 +4733,14 @@ the call to \\[sql-product-interactive] with (get-buffer new-sqli-buffer))))) (user-error "No default SQL product defined: set `sql-product'"))) +(defun sql-comint-automatic-password (_) + "Intercept password prompts when we know the password. +This must also do the job of detecting password prompts." + (when (and + sql-password + (not (string= "" sql-password))) + sql-password)) + (defun sql-comint (product params &optional buf-name) "Set up a comint buffer to run the SQL processor. @@ -4757,6 +4765,13 @@ buffer. If nil, a name is chosen for it." (setq buf-name (sql-generate-unique-sqli-buffer-name product nil))) (set-text-properties 0 (length buf-name) nil buf-name) + ;; Create the buffer first, because we want to set it up before + ;; comint starts to run. + (set-buffer (get-buffer-create buf-name)) + ;; Set up the automatic population of passwords, if supported. + (when (sql-get-product-feature product :password-in-comint) + (setq comint-password-function #'sql-comint-automatic-password)) + ;; Start the command interpreter in the buffer ;; PROC-NAME is BUF-NAME without enclosing asterisks (let ((proc-name (replace-regexp-in-string "\\`[*]\\(.*\\)[*]\\'" "\\1" buf-name))) diff --git a/test/lisp/progmodes/sql-tests.el b/test/lisp/progmodes/sql-tests.el index 3ac9fb10e4..2f0a96b6c2 100644 --- a/test/lisp/progmodes/sql-tests.el +++ b/test/lisp/progmodes/sql-tests.el @@ -410,6 +410,16 @@ The ACTION will be tested after set-up of PRODUCT." (kill-buffer "*SQL: exist*"))) +(ert-deftest sql-tests-comint-automatic-password () + (let ((sql-password nil)) + (should-not (sql-comint-automatic-password "Password: "))) + (let ((sql-password "")) + (should-not (sql-comint-automatic-password "Password: "))) + (let ((sql-password "password")) + (should (equal "password" (sql-comint-automatic-password "Password: ")))) + ;; Also, we shouldn't care what the password is - we rely on comint for that. + (let ((sql-password "password")) + (should (equal "password" (sql-comint-automatic-password ""))))) (provide 'sql-tests) ;;; sql-tests.el ends here -- 2.20.1 (Apple Git-117) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Michael Mauger writes: > =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original = Message =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 > On Wednesday, December 18, 2019 11:57 AM, Eli Zaretskii wr= ote: > >> On Wed, 18 Dec 2019 12:45:27 +0000, Michael Mauger wrote: >> > Below is my first >> > take on the changes to comint.el needed to add a hook that we >> > could use in sql.el to supply the password. I think we ought >> > to run this by emacs-devel and Eli before merging it. >> >> I'm okay with adding this hook, but please mention this hook and its >> rationale in NEWS. >> >> Please also feel free to ask on emacs-devel for comments, if you want. >> >> Thanks. > > I'll put together the patch for comint.el and NEWS and commit it. > > Andrew, you can then simplify your sql.el patches appropriately along > with corresponding NEWS entry and we can review before you commit. Thanks! > > -- > MICHAEL@MAUGER.COM // FSF and EFF member // GNU Emacs sql.el maintainer --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 30 13:34:50 2019 Received: (at 8427) by debbugs.gnu.org; 30 Dec 2019 18:34:50 +0000 Received: from localhost ([127.0.0.1]:33382 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ilzsQ-0007p9-Dh for submit@debbugs.gnu.org; Mon, 30 Dec 2019 13:34:50 -0500 Received: from mout.gmx.net ([212.227.17.21]:33807) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ilzsP-0007oz-5u for 8427@debbugs.gnu.org; Mon, 30 Dec 2019 13:34:49 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1577730880; bh=yRGu+NtQsRWG/9rOAUEjWIb2hCywyu5cfClznnrWF+E=; h=X-UI-Sender-Class:From:To:Cc:Subject:References:Date:In-Reply-To; b=Q/uRsZT9DszoSeUoT0KiNR834XwS5HReKKHU4j+To9i4YOmbFMBYcJCNcc5GkTvfw DZma5d/1+vPiKiotkMkZdHrwRI6KRPQhy5cWlV97wQbcNdxUMURxzDmh41guy2f4oB BhBF8gnYWdeSSlhnE6wexWR58Edd9ITpyNr13iB0= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from detlef.gmx.de ([212.86.59.161]) by mail.gmx.com (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MPGRp-1j78AP1nAr-00Pcqf; Mon, 30 Dec 2019 19:34:40 +0100 From: Michael Albinus To: Andrew Hyatt Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing References: <83r211372b.fsf@gnu.org> Date: Mon, 30 Dec 2019 19:34:38 +0100 In-Reply-To: (Andrew Hyatt's message of "Mon, 30 Dec 2019 10:11:54 -0500") Message-ID: <87imlxu0g1.fsf@gmx.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Provags-ID: V03:K1:oP125yvhDmQKh8s+WBPI869+gRg+MB+KhHptq3+Jf4xF+O+jB0I z3ULHK+BAWjOIpIJKDNGpfKwoahfuuJgOVTu+dYCcEFGJVGq9zSJCHv8PHjkaaVH/sbC2lA DtZZ7XOGHvSv2ZVCyt77E1PeSPBhQiLwGRbpdsjmwBolzjc3QBrvBHCCRublbqri9LhVfs5 POCPnko7aW7knLMxwpEqg== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:s7gzVJGLtg8=:2xmv+ePPIvNiU20vv2YvD3 K2dngMnJLjC9OQ/8lbxRuVyobIGWBes5OQFeypXSJLLZREMFmRdgwn6k95vPcwMIWQdPhr1D9 24zgMAkVAk1Bkz8GIg3jupKmaWmpVvLZ3K4daG+oXpsIUEwGO9rUoMAw6nF0uwpVqk9Y5NP0x Ubt6tHKok1iHOxJtsgfmgHaCLE41euiFOtcjK+kTaHvjHBtGeKogsmhHkTwMQCGcN7TkqrL2n Zz0WnOjcrZW0TA60+01cfPtLcz+AjxTIFjcemhzxZ5Gh/URVlgJ9i4BdZaFiXwpFrZKbkOqvY jDiuTCoh6W0Qqbq7CBeRyxyTxAZkLGnGu6Tn1o+cOTqzJFVkdn8dQBdV4kiYao5apen/JsyMN uc7h228D1LhiZp0/GYLpzARMgaEylCM/c9suXweJ07kLM7Yc99pdeOyhUpn24OftqL/3eRUXI 2QSHEjXICY9GDpQtshmIC32J2lp7qbZn4zRx/z2+ZSLY/1tpkBlSYaVH8J2UmTIWpkX9zewX7 YhAP6HjtxA3IgdHq4L4pZBuq7giIAz8G8T/+cPStHBn4VpKAGvuz7CszWru6bplroQ9LwZgmM RSyeofs5DYc8Pt/Z+NyQi9H6yPcDQSk86ktMDzZUWc8rMu+i6uSbQkDx2qTkGZMRxCJSfentp mTKflW7iOwEkMzjZFvHQ17u5GKBOXR4LhOVctRCVTXfeHTf8kZy/Qjrgh+LLCFcLR2Hk6hblf a7NLbR1ISa72OricF+6CR7DYj2wQhrAKDk0UxI9yl5kSJmlAz4e0wvaHbr+5IY7uN3rwojSH8 1c+SEMSe+lCEwRLwu3cGBWdgG59cPf6jjIVF4z8dfSMNwOt2r+R8y8Q+egUuauef9Jz7HdG80 TGhv22yFGHmpN3HdlHrvSkRrJn+rrDXfo6RCdDZ2M24A7+qu1+TKUu2MSS4vgppJYMGbj2yYW QSAEuRt8bZto8Gdf2fQt5KxaYokF49+ktOsbHvU4nGPPl5m5fQw/FAq20yb0nTkR0OINXN11U hLczkocYfUskxZt6+qY7zv0pDAv/AETQGaRWiRa0B++Ec9eRipxuOTzPPTfBZOYq35gD0Ndrv ZhrORWplQ2AeBwprA2GxpPOo3lwwWMv61vPQOgScORRywjWL1dAkBxvduBQz4Qwn2tDvMofui E8w/0VHPstetuL395V4g84Ub8meAL2uWVLhvwDqJ9ndxoyprmQWm5ijY+2la8D59Vd4aBS+gc 3E6uTFscV4LM3mnemgof0mRSwR+tgEMQUlaSp6vP92JTQAJ6IFL5b3wOsDm4= Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 8427 Cc: "stefan@marxist.se" , "8427@debbugs.gnu.org" <8427@debbugs.gnu.org>, Michael Mauger X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Andrew Hyatt writes: > --- a/etc/NEWS > +++ b/etc/NEWS > > +--- > +**** sql now supports sending of passwords in-process. > +To improve security, if a sql product has ':password-in-comint' set to > +true, a password supplied via the minibuffer will be sent in-process, > +as opposed to via the command-line. I would say non-nil instead of true. Or do you mean t? From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 30 14:26:39 2019 Received: (at 8427) by debbugs.gnu.org; 30 Dec 2019 19:26:39 +0000 Received: from localhost ([127.0.0.1]:33424 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1im0gZ-0000ll-CY for submit@debbugs.gnu.org; Mon, 30 Dec 2019 14:26:39 -0500 Received: from mail-qk1-f178.google.com ([209.85.222.178]:46724) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1im0gY-0000lX-11 for 8427@debbugs.gnu.org; Mon, 30 Dec 2019 14:26:38 -0500 Received: by mail-qk1-f178.google.com with SMTP id r14so26915255qke.13 for <8427@debbugs.gnu.org>; Mon, 30 Dec 2019 11:26:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=l0jzRlIPkOjHr6+fWMn56I8RNmB5Eby2gXWV/Gh7Dtw=; b=JeNo06s/0TPu9FmIImARgc6/UIF9fZk3C1RMSNzUYvrSfaH8fO22Zu4OxjOpwnf6YG 2+D+dTNvZBuPr8cu86V6EOEJuO0h1uAIzBiZnTzmwc52ZbLu1mlyfk+gh2MHJJAZ43+d epOdBtq6vV5r+qk0NTFJplhRurdzMyNKoBGRzB8RsrciXaJRRYq4SjJcLBPhI+S7HJtu uzDu94KZ4SEMxoP2lOdXQ+a5kEJMm4nlYVnlJpFTQkiZ4oNzLlCG3U+jzRqbXx5hrPyz JvbEzORcrppYJDSC8dXPxnwQ/83/I2VCuheg7s6QDhmLxFpYjSXzGMRFlphO65kPpu7u 3HZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=l0jzRlIPkOjHr6+fWMn56I8RNmB5Eby2gXWV/Gh7Dtw=; b=N14xDqgmUjfDh32dCVAkzcfe2pv4T7S4sc+bvNAjcQWZS1BMCSjfwHrPMqEclAQowN YdfkRUdpYJ+WSiEUVMwivF7XvoGNN4T3+4XWvYptvWf+4TYZQ6G+hmlwHR/I0AZXIFHf fAzE68TVBEbxP/hEGpqsYjyjgf+K7yxEjnP+AdGJeAO15IhdBnTDeuiH1RmYkwPG5txm 4LQKQ+9f68cMuGl86XrSqJtku6t1vbjnR+eHZ5954oAmUrJ1vRLi5UHzzh/IO0A3At0C fki0jpLorKHw+TCbLmj0iXBd/KVFuqFB2PZWqgA8YcrGyUDwNzUkYp5hBAgOfl9P0yVD Lqvw== X-Gm-Message-State: APjAAAXKnvg+JtZwlRJI3s4ifCjLtgAojhVzJcDl4lUBXlOIKFu6p44m MuNlaoSaV8l5B2rT47gCwDJhkbXgR4q7cm/4360= X-Google-Smtp-Source: APXvYqw0o9aq9O35P8nYFpy5vLAephv6Bg1PwUihioIze0+5zj+oYxhXwqMz+HVHcs6K5DzfuAJ0FMPkozexVI6NtMs= X-Received: by 2002:a37:8d3:: with SMTP id 202mr57249233qki.415.1577733992348; Mon, 30 Dec 2019 11:26:32 -0800 (PST) MIME-Version: 1.0 References: <83r211372b.fsf@gnu.org> <87imlxu0g1.fsf@gmx.de> In-Reply-To: <87imlxu0g1.fsf@gmx.de> From: Andrew Hyatt Date: Mon, 30 Dec 2019 14:26:21 -0500 Message-ID: Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing To: Michael Albinus Content-Type: multipart/alternative; boundary="0000000000002a02ca059af0d24d" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 8427 Cc: "stefan@marxist.se" , "8427@debbugs.gnu.org" <8427@debbugs.gnu.org>, Michael Mauger X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --0000000000002a02ca059af0d24d Content-Type: text/plain; charset="UTF-8" I meant a true value, I agree, non-nil is a better way to say that. Shall I just make that change and check in? On Mon, Dec 30, 2019 at 1:34 PM Michael Albinus wrote: > Andrew Hyatt writes: > > > --- a/etc/NEWS > > +++ b/etc/NEWS > > > > +--- > > +**** sql now supports sending of passwords in-process. > > +To improve security, if a sql product has ':password-in-comint' set to > > +true, a password supplied via the minibuffer will be sent in-process, > > +as opposed to via the command-line. > > I would say non-nil instead of true. Or do you mean t? > --0000000000002a02ca059af0d24d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I meant a true value, I agree, non-nil is a better way to = say that.

Shall I just make that change and check in?

On Mon, Dec 30, 2019 at 1:34 PM Michael Albinus <michael.albinus@gmx.de> wrote:
Andrew Hyatt <ahyatt@gmail.com> writes:
> --- a/etc/NEWS
> +++ b/etc/NEWS
>
> +---
> +**** sql now supports sending of passwords in-process.
> +To improve security, if a sql product has ':password-in-comint= 9; set to
> +true, a password supplied via the minibuffer will be sent in-process,=
> +as opposed to via the command-line.

I would say non-nil instead of true. Or do you mean t?
--0000000000002a02ca059af0d24d-- From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 30 14:39:06 2019 Received: (at 8427) by debbugs.gnu.org; 30 Dec 2019 19:39:06 +0000 Received: from localhost ([127.0.0.1]:33441 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1im0sc-0001Ae-71 for submit@debbugs.gnu.org; Mon, 30 Dec 2019 14:39:06 -0500 Received: from eggs.gnu.org ([209.51.188.92]:52319) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1im0sa-0001A3-LB for 8427@debbugs.gnu.org; Mon, 30 Dec 2019 14:39:05 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:40026) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1im0sV-0005Xy-3J; Mon, 30 Dec 2019 14:38:59 -0500 Received: from [176.228.60.248] (port=4208 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1im0sU-000234-Fw; Mon, 30 Dec 2019 14:38:58 -0500 Date: Mon, 30 Dec 2019 21:39:05 +0200 Message-Id: <83y2utli1y.fsf@gnu.org> From: Eli Zaretskii To: Andrew Hyatt In-reply-to: (message from Andrew Hyatt on Mon, 30 Dec 2019 14:26:21 -0500) Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing References: <83r211372b.fsf@gnu.org> <87imlxu0g1.fsf@gmx.de> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 8427 Cc: mmauger@protonmail.com, stefan@marxist.se, 8427@debbugs.gnu.org, michael.albinus@gmx.de X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > Date: Mon, 30 Dec 2019 14:26:21 -0500 > Cc: Michael Mauger , > "8427@debbugs.gnu.org" <8427@debbugs.gnu.org>, > "stefan@marxist.se" > > Shall I just make that change and check in? Please wait for a while, I'd like Michael Mauger to review this. Thanks. From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 30 18:36:19 2019 Received: (at 8427) by debbugs.gnu.org; 30 Dec 2019 23:36:19 +0000 Received: from localhost ([127.0.0.1]:33621 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1im4aB-0006BY-4i for submit@debbugs.gnu.org; Mon, 30 Dec 2019 18:36:19 -0500 Received: from mail1.protonmail.ch ([185.70.40.18]:23857) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1im4a6-0006Ak-2u for 8427@debbugs.gnu.org; Mon, 30 Dec 2019 18:36:18 -0500 Date: Mon, 30 Dec 2019 23:36:04 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1577748967; bh=7NeUjjvBIRQp+dYK3RD1/saJplFspVkalEq9TDHdRQw=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=sFe8UIGyrBsoud0WMtI6mnzirLZJaQVfqaxBzsriRuchjTdOQeiHa63D2Fq2oZ6Vu P014IgF/59b1E1VNhsEnQOfSz1JQFvhrOpSk9It6LWmGkY4gND6Ak+llS9r42ibeuG mP/i/HQPGFj3kNE3O0hXmg0rue4hx1IBGPL5gEbU= To: Eli Zaretskii From: Michael Mauger Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing Message-ID: In-Reply-To: <83y2utli1y.fsf@gnu.org> References: <83r211372b.fsf@gnu.org> <87imlxu0g1.fsf@gmx.de> <83y2utli1y.fsf@gnu.org> Feedback-ID: b6CpL0MxcIA6fpHRkn3ZHzWS0Hoqxbtv_SrHfEzC9D85cLvnRsVk4rKaAOJUw48iy20W0W1VX4whjBYFluIX0w==:Ext:ProtonMail MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.2 required=7.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.protonmail.ch X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 8427 Cc: "stefan@marxist.se" , Andrew Hyatt , "8427@debbugs.gnu.org" <8427@debbugs.gnu.org>, "michael.albinus@gmx.de" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Michael Mauger Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me= ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 On Monday, December 30, 2019 2:39 PM, Eli Zaretskii wrote: > > Date: Mon, 30 Dec 2019 14:26:21 -0500 > > > Cc: Michael Mauger mmauger@protonmail.com, > > "8427@debbugs.gnu.org" 8427@debbugs.gnu.org, > > "stefan@marxist.se" stefan@marxist.se > > Shall I just make that change and check in? > > Please wait for a while, I'd like Michael Mauger to review this. > > Thanks. I will take a look after New Years. Thank you, Andrew and Eli. -- MICHAEL@MAUGER.COM // FSF and EFF member // GNU Emacs sql.el maintainer From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 21 08:46:11 2020 Received: (at 8427) by debbugs.gnu.org; 21 Sep 2020 12:46:11 +0000 Received: from localhost ([127.0.0.1]:53712 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kKLCt-0004ki-Ih for submit@debbugs.gnu.org; Mon, 21 Sep 2020 08:46:11 -0400 Received: from quimby.gnus.org ([95.216.78.240]:47740) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kKLCs-0004el-5Y for 8427@debbugs.gnu.org; Mon, 21 Sep 2020 08:46:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=eH4svU5mAPI1tW3/P/spWmoWUp+xnNlrFNQIcRDsFaU=; b=ZCpn0/mPs/5AD/hp3hqpmn0oAQ 2TsSLud2O2kWhRBEklD/xPhT+NRTGNx1xKHI8e7+wdi7cxoA4fhFzhWtu5vzAdLgfW3kn+Tp9cIc2 4YcvCsOI7AMBLLE+h4j00e57JrS5va3z1jrFgse22wi15Mf/if7bd5RJTykh3/K4PL2w=; Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=xo) by quimby with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kKLCg-0004NV-U9; Mon, 21 Sep 2020 14:46:02 +0200 From: Lars Ingebrigtsen To: Michael Mauger Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing References: <83r211372b.fsf@gnu.org> <87imlxu0g1.fsf@gmx.de> <83y2utli1y.fsf@gnu.org> X-Now-Playing: LCD Soundsystem's _LCD Soundsystem (2)_: "Tired" Date: Mon, 21 Sep 2020 14:45:57 +0200 In-Reply-To: (Michael Mauger's message of "Mon, 30 Dec 2019 23:36:04 +0000") Message-ID: <87k0wnpabe.fsf@gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Michael Mauger writes: >> Please wait for a while, I'd like Michael Mauger to review this. >> >> Thanks. > > I will take a look after New Years. Thank you, Andrew and Eli. Michael, have you had time to look at the patches? I had a brief skim, and they looked reasonable to me, but I have neither read them in-depth nor tried them. Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 8427 Cc: "michael.albinus@gmx.de" , Eli Zaretskii , "8427@debbugs.gnu.org" <8427@debbugs.gnu.org>, "stefan@marxist.se" , Andrew Hyatt X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Michael Mauger writes: >> Please wait for a while, I'd like Michael Mauger to review this. >> >> Thanks. > > I will take a look after New Years. Thank you, Andrew and Eli. Michael, have you had time to look at the patches? I had a brief skim, and they looked reasonable to me, but I have neither read them in-depth nor tried them. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Tue Oct 12 01:05:40 2021 Received: (at 8427) by debbugs.gnu.org; 12 Oct 2021 05:05:40 +0000 Received: from localhost ([127.0.0.1]:33184 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ma9yu-0008Gv-7n for submit@debbugs.gnu.org; Tue, 12 Oct 2021 01:05:40 -0400 Received: from mail-pj1-f48.google.com ([209.85.216.48]:36805) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ma9ys-0008Gg-Q7 for 8427@debbugs.gnu.org; Tue, 12 Oct 2021 01:05:39 -0400 Received: by mail-pj1-f48.google.com with SMTP id qe4-20020a17090b4f8400b0019f663cfcd1so1010990pjb.1 for <8427@debbugs.gnu.org>; Mon, 11 Oct 2021 22:05:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:in-reply-to:references:user-agent :mime-version:date:message-id:subject:to:cc; bh=NAQ/KM9PMQ39yehG9hc/EYWT6Gwf7GY9SKlk9DHHJk0=; b=k40kAzmtabQ7ABF390Rxl1sqKiN72aD2tn29G85XwJ/bpXzWxG5uNVPLG4LgcDUMXa DfpzhNXvNmHPdOH8m4DlTAZVHT3rPZuVxdllWmVSjKewbQVEE4JtcEQynjIlVEtYzeq1 SMC36fRP90QoqS+5j54Z83oD5b+QYKzD4kyxHuTadTJv9vXKZVuyFQ7oxN2Mj3fjvDts MP/1WvSAQOEuVfKPAzjlfTkfN9EXv0S8ZpvXuMT7uuDrpCF3yqjqEIqZ7627PJCSIhPu PXrvCbGWrIHIg5t2guRO/hn2tCJhmi3t4WUDwJt0b8R5IMPmDDKhL0znzNomOqExdllP Pw9w== X-Gm-Message-State: AOAM531OELExz8mCu9WuiZfD7rFu7M3VS2wAoADCTgnDvbcpeEJ3HOlF 7qQ2VL6GQDQTylMVht95xG+jGkD//gzGFl07UxU= X-Google-Smtp-Source: ABdhPJzPjUQGz72befg4eXiqv4HF+UCrlUk2tk/OmXsFFFT0ZLps3LkOqB4PKk09E1540FduSsQku8CNqEbOZhh7G60= X-Received: by 2002:a17:90a:460a:: with SMTP id w10mr3647381pjg.132.1634015133110; Mon, 11 Oct 2021 22:05:33 -0700 (PDT) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Mon, 11 Oct 2021 22:05:32 -0700 From: Stefan Kangas In-Reply-To: <87k0wnpabe.fsf@gnus.org> (Lars Ingebrigtsen's message of "Mon, 21 Sep 2020 14:45:57 +0200") References: <83r211372b.fsf@gnu.org> <87imlxu0g1.fsf@gmx.de> <83y2utli1y.fsf@gnu.org> <87k0wnpabe.fsf@gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux) MIME-Version: 1.0 Date: Mon, 11 Oct 2021 22:05:32 -0700 Message-ID: Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing To: Lars Ingebrigtsen Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.5 (/) X-Debbugs-Envelope-To: 8427 Cc: "michael.albinus@gmx.de" , Eli Zaretskii , "8427@debbugs.gnu.org" <8427@debbugs.gnu.org>, Michael Mauger , Andrew Hyatt X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.5 (/) Lars Ingebrigtsen writes: > Michael Mauger writes: > >>> Please wait for a while, I'd like Michael Mauger to review this. >>> >>> Thanks. >> >> I will take a look after New Years. Thank you, Andrew and Eli. > > Michael, have you had time to look at the patches? I had a brief skim, > and they looked reasonable to me, but I have neither read them in-depth > nor tried them. Any news about this? It would be great to get this into Emacs 28. From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 13 12:06:10 2021 Received: (at 8427) by debbugs.gnu.org; 13 Oct 2021 16:06:10 +0000 Received: from localhost ([127.0.0.1]:33136 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1magle-0005Yc-22 for submit@debbugs.gnu.org; Wed, 13 Oct 2021 12:06:10 -0400 Received: from mail-4316.protonmail.ch ([185.70.43.16]:13873) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1maglZ-0005Xw-3n for 8427@debbugs.gnu.org; Wed, 13 Oct 2021 12:06:08 -0400 Date: Wed, 13 Oct 2021 16:05:57 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1634141158; bh=AUnNh/7JbVfPb8FHYiT697icoMwU8XIceyZP0ZB8mVU=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=Kfmhxp8+GhI+lTCebdHXTbBTmwsz3sKjfWY+xrZfnB7U1rsu2yT1PZP4JHHQPVdUJ PwcxLXrBY2JCwzjQs/vCQfSV++qX0iwLK0Errk5X+jVQuLZvzeV99wUFWRFTv8O932 jQUFqEgpt07c+XE4FxccbOMR0e736dCe8kAQu8vc= To: Stefan Kangas From: Michael Mauger Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing Message-ID: In-Reply-To: References: <87imlxu0g1.fsf@gmx.de> <83y2utli1y.fsf@gnu.org> <87k0wnpabe.fsf@gnus.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mailout.protonmail.ch X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 8427 Cc: Andrew Hyatt , Lars Ingebrigtsen , "8427@debbugs.gnu.org" <8427@debbugs.gnu.org>, "michael.albinus@gmx.de" , Eli Zaretskii X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Michael Mauger Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) On Tuesday, October 12th, 2021 at 1:05 AM, Stefan Kangas wrote: > Lars Ingebrigtsen larsi@gnus.org writes: > > Michael Mauger mmauger@protonmail.com writes: > > > > Please wait for a while, I'd like Michael Mauger to review this. > > > > > > > > Thanks. > > > I will take a look after New Years. Thank you, Andrew and Eli. > > Michael, have you had time to look at the patches? I had a brief skim, > > and they looked reasonable to me, but I have neither read them in-depth > > nor tried them. > Any news about this? It would be great to get this into Emacs 28. I'm fine with this. I remember this vaguely and think we are all set. Let'= s get it committed and we'll give it some attention/testing before the releas= e From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 13 13:47:57 2021 Received: (at 8427) by debbugs.gnu.org; 13 Oct 2021 17:47:57 +0000 Received: from localhost ([127.0.0.1]:33328 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1maiM9-0002hB-EV for submit@debbugs.gnu.org; Wed, 13 Oct 2021 13:47:57 -0400 Received: from mail-pf1-f175.google.com ([209.85.210.175]:46648) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1maiLv-0002ea-Kj for 8427@debbugs.gnu.org; Wed, 13 Oct 2021 13:47:44 -0400 Received: by mail-pf1-f175.google.com with SMTP id i76so995616pfe.13 for <8427@debbugs.gnu.org>; Wed, 13 Oct 2021 10:47:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=to/irH/iPH6mvlyh5o+dMo3Be57kx0hPFZEKioIEtKM=; b=Ce6FagHjNUCLfmi1+q8DmVcyv1eGHj2AUfxtNcOVOB/TEgjUbX37a/inE6EXYSI+Rb GroQlC1ZYq/EzuLNghGwii+Vcd8UNJ8drrM94efXfa3wIRHFxutQdCKp0XXq5rzNstWw vYbk9L1h7WRpDruYpxCDbTwt2azACGIjcP+idvLJ0X8KNH3/1IZJ9dI59Hiz+5QkF+K+ XI5YQVq50PBX9q6GkJcc1CokpKDfmZI2u0cM8W3l5iASUH06gA2Lb5RPCNZxoOqxJoIa 3PVRG6QB0aiB7uCjJDwzalHENRPWvbtaxnw3YoLOaEZhboWeTbmuI+rJKEW0EZKnZcJe 3vOA== X-Gm-Message-State: AOAM531nxCQHvm/Y9GfL2m5OAaepLvlGmNZBBSRXMUqwRuWGLpFdXD87 DzptXVzxWYELqcKlGr8O22VRgtoZmqgxnzmVess= X-Google-Smtp-Source: ABdhPJxokjmNCOE8LsVQM6/cIbQg8WJpemCjwX240MOUxVomu3R1dBN+imoqxClttCRMu+5T+Ws4bT0hEJpGC8SOT4Q= X-Received: by 2002:a63:9d06:: with SMTP id i6mr481078pgd.42.1634147257798; Wed, 13 Oct 2021 10:47:37 -0700 (PDT) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Wed, 13 Oct 2021 10:47:37 -0700 From: Stefan Kangas In-Reply-To: References: <87imlxu0g1.fsf@gmx.de> <83y2utli1y.fsf@gnu.org> <87k0wnpabe.fsf@gnus.org> MIME-Version: 1.0 Date: Wed, 13 Oct 2021 10:47:37 -0700 Message-ID: Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing To: Michael Mauger Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.5 (/) X-Debbugs-Envelope-To: 8427 Cc: Andrew Hyatt , Lars Ingebrigtsen , "8427@debbugs.gnu.org" <8427@debbugs.gnu.org>, "michael.albinus@gmx.de" , Eli Zaretskii X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.5 (/) Michael Mauger writes: > I'm fine with this. I remember this vaguely and think we are all set. Let's > get it committed and we'll give it some attention/testing before the release Thanks, I guess we need one of our maintainers to approve this before pushing this to emacs-28. Otherwise, it should go to master. From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 13 14:26:49 2021 Received: (at 8427) by debbugs.gnu.org; 13 Oct 2021 18:26:49 +0000 Received: from localhost ([127.0.0.1]:33387 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1maixh-0005F9-EA for submit@debbugs.gnu.org; Wed, 13 Oct 2021 14:26:49 -0400 Received: from eggs.gnu.org ([209.51.188.92]:35450) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1maixc-0005EU-Rg for 8427@debbugs.gnu.org; Wed, 13 Oct 2021 14:26:44 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:42108) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1maixX-000602-0y; Wed, 13 Oct 2021 14:26:35 -0400 Received: from [87.69.77.57] (port=1859 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1maixW-0006x9-JN; Wed, 13 Oct 2021 14:26:34 -0400 Date: Wed, 13 Oct 2021 21:26:29 +0300 Message-Id: <83pms8n5m2.fsf@gnu.org> From: Eli Zaretskii To: Stefan Kangas In-Reply-To: (message from Stefan Kangas on Wed, 13 Oct 2021 10:47:37 -0700) Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing References: <87imlxu0g1.fsf@gmx.de> <83y2utli1y.fsf@gnu.org> <87k0wnpabe.fsf@gnus.org> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 8427 Cc: michael.albinus@gmx.de, larsi@gnus.org, 8427@debbugs.gnu.org, mmauger@protonmail.com, ahyatt@gmail.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > From: Stefan Kangas > Date: Wed, 13 Oct 2021 10:47:37 -0700 > Cc: Lars Ingebrigtsen , "michael.albinus@gmx.de" , Eli Zaretskii , > "8427@debbugs.gnu.org" <8427@debbugs.gnu.org>, Andrew Hyatt > > Michael Mauger writes: > > > I'm fine with this. I remember this vaguely and think we are all set. Let's > > get it committed and we'll give it some attention/testing before the release > > Thanks, I guess we need one of our maintainers to approve this before > pushing this to emacs-28. Otherwise, it should go to master. I'm okay with installing this on the release branch if Michael thinks it's safe enough. From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 13 17:26:41 2021 Received: (at 8427) by debbugs.gnu.org; 13 Oct 2021 21:26:42 +0000 Received: from localhost ([127.0.0.1]:33752 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mallp-0001v7-Lw for submit@debbugs.gnu.org; Wed, 13 Oct 2021 17:26:41 -0400 Received: from mail-pg1-f174.google.com ([209.85.215.174]:34674) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mallj-0001ua-Ul for 8427@debbugs.gnu.org; Wed, 13 Oct 2021 17:26:39 -0400 Received: by mail-pg1-f174.google.com with SMTP id 133so3572652pgb.1 for <8427@debbugs.gnu.org>; Wed, 13 Oct 2021 14:26:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=A+g9WLbI5mBHteIW1F4kywqkHkaScIRYcqxITkREXOc=; b=NLV50zO1+wm/fcdXcGKNpQS2ubOiUfETm3MRZPPTiy7jWPN7YGw/JAHL6puUp3Iwj5 NWN7hCepKFXv+Eiqo4KKM0BeLMPK4hBBcoN2j5Z/x6gd0wfFVYcnbZr0+k7VFr8NYozQ dpw0vsygleWVmlbNkVFjgRwYwIGjotRQEAvr8nnk8D7hBLxg3BtWHFHsoGzBzv13lXvz aG9H3JIoXPTuMHY1EYGHEh3evUSUXhGiMwC6sm7xbB1JJWi1pv8lIsdEtBynefrIKGuk GvSVAk0QDP2xJBMq7LhJhIS4kKaRarQuB0Xutn29LLdE0uZo4tjTSn+9GmKd3l+v6ssE 7a7g== X-Gm-Message-State: AOAM532yXd401iNQSfhynrNvgMMOSb+JeiL3TV0ab84VvdX7iGWB+kwz jShvkYiiDHMo9QKt6tIreAcG8BpexX8Wgs6y7XY= X-Google-Smtp-Source: ABdhPJyaVI79H6nd909sqp4o8EPKo+8K6sIBnzVaCyHKg/BEhwjA6eUsX46NleOiF1/zI+HQHojVxIHfPv06As65g6o= X-Received: by 2002:a63:4717:: with SMTP id u23mr1226000pga.359.1634160390257; Wed, 13 Oct 2021 14:26:30 -0700 (PDT) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Wed, 13 Oct 2021 14:26:29 -0700 From: Stefan Kangas In-Reply-To: <83pms8n5m2.fsf@gnu.org> References: <87imlxu0g1.fsf@gmx.de> <83y2utli1y.fsf@gnu.org> <87k0wnpabe.fsf@gnus.org> <83pms8n5m2.fsf@gnu.org> MIME-Version: 1.0 Date: Wed, 13 Oct 2021 14:26:29 -0700 Message-ID: Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing To: Eli Zaretskii Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.5 (/) X-Debbugs-Envelope-To: 8427 Cc: michael.albinus@gmx.de, larsi@gnus.org, 8427@debbugs.gnu.org, mmauger@protonmail.com, ahyatt@gmail.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.5 (/) Eli Zaretskii writes: > I'm okay with installing this on the release branch if Michael thinks > it's safe enough. Michael, could you please push this to emacs-28 or master as you prefer? Alternatively, just tell us where you'd like it to land and me or someone else can push it. From debbugs-submit-bounces@debbugs.gnu.org Tue Oct 19 00:37:37 2021 Received: (at 8427) by debbugs.gnu.org; 19 Oct 2021 04:37:37 +0000 Received: from localhost ([127.0.0.1]:49060 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mcgsb-0002kP-7a for submit@debbugs.gnu.org; Tue, 19 Oct 2021 00:37:37 -0400 Received: from mail-40134.protonmail.ch ([185.70.40.134]:63095) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mcgsY-0002k9-K5 for 8427@debbugs.gnu.org; Tue, 19 Oct 2021 00:37:35 -0400 Date: Tue, 19 Oct 2021 04:37:23 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1634618244; bh=7b4fX8SF6OJ45vYaWTi0R5exS45iCYfm37ld3sudJ2g=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=SaoB7uOFMrcZKUoG9XgR32oWOkH703pUs171mQMi+C+G0YDc6TtL38yOMpj3OjykH C+Dfu1VFqzDzx6Ex0jI/AEvahzPeBxrV327NYQJTbmjIYpZjtUJLQN9cm+zpE9kM8/ 6s9eo57XkW3vMe+Gmvwzaac0zoAcfnaM/r03ysAA= To: Stefan Kangas From: Michael Mauger Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing Message-ID: In-Reply-To: References: <83y2utli1y.fsf@gnu.org> <87k0wnpabe.fsf@gnus.org> <83pms8n5m2.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mailout.protonmail.ch X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 8427 Cc: ahyatt@gmail.com, Eli Zaretskii , 8427@debbugs.gnu.org, michael.albinus@gmx.de, larsi@gnus.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Michael Mauger Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) On Wednesday, October 13th, 2021 at 5:26 PM, Stefan Kangas wrote: > Eli Zaretskii eliz@gnu.org writes: > > > I'm okay with installing this on the release branch if Michael thinks > > it's safe enough. > > Michael, could you please push this to emacs-28 or master as you prefer? > Alternatively, just tell us where you'd like it to land and me or > someone else can push it. I've pushed to master for now. I'll test this week and decide then whether = I push to emacs-28. I think its fine and safe, but I effed up for emacs-27, so I'm a little cau= tious... -- MICHAEL@MAUGER.COM // FSF and EFF member // GNU Emacs sql.el maintainer From debbugs-submit-bounces@debbugs.gnu.org Tue Oct 19 01:16:14 2021 Received: (at control) by debbugs.gnu.org; 19 Oct 2021 05:16:14 +0000 Received: from localhost ([127.0.0.1]:49081 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mchTy-0003pS-Id for submit@debbugs.gnu.org; Tue, 19 Oct 2021 01:16:14 -0400 Received: from mail-pj1-f51.google.com ([209.85.216.51]:50731) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mchTv-0003p9-5W for control@debbugs.gnu.org; Tue, 19 Oct 2021 01:16:13 -0400 Received: by mail-pj1-f51.google.com with SMTP id gn3so8277538pjb.0 for ; Mon, 18 Oct 2021 22:16:11 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:mime-version:date:message-id:subject:to; bh=ygHT7Uc79PJcb5eTZ5HvP9eoAnz22bCDopKwpyGNXuc=; b=oE/tt/7RbdEbfPNxqVWQ6eDiYAmG5tjgL8WBh2CLmLyxtbZKg5nmbg5s5t8uKgTvHG S5eXWCOT5CQoznUg/JNVnQHmy0z5Yt0lMsiJ20pnZbEqIAgHlasCOE9UCfCOMMVjpUIB s61h/nvh3wFuMwQ5CsjQ3NhD9w/vP/6gnuDdbhNHqQ63bh5C4hihoJ3+RRAyUtA+Mo7v u7jJVw677il3ukYo6F5357V+9JgM24nq+hCCigpvtafH8uMrZIFGvfV4SzVnex5tjpk0 WWxFqGtgbkk6feqfeJFRs2gg0+sRtnMQecfe156O0TVNhMSvTsXz3Gb4QVTVWs6kC05C uDSw== X-Gm-Message-State: AOAM531z0q8X4fhWF6iB0ViBsbcYY7U0jr4hjo88a91SEtmQQmQqDwWS PABaXrrOrfGUTEkIV55MKzi5iCM1Et1omukeS1DYc3/h X-Google-Smtp-Source: ABdhPJy5wf9JHK5DOJAJUeRv5kkpuCeGMR2QEh5wM1undnjXMzekyK1MCgNS+K4+H8HFUaxICKGh7hlAh6+K2NEXwiE= X-Received: by 2002:a17:90a:c70d:: with SMTP id o13mr4037601pjt.143.1634620565329; Mon, 18 Oct 2021 22:16:05 -0700 (PDT) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Mon, 18 Oct 2021 22:16:04 -0700 From: Stefan Kangas MIME-Version: 1.0 Date: Mon, 18 Oct 2021 22:16:04 -0700 Message-ID: Subject: control message for bug #8427 To: control@debbugs.gnu.org Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.5 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.5 (/) fixed 8427 29.1 quit From debbugs-submit-bounces@debbugs.gnu.org Tue Oct 19 07:58:14 2021 Received: (at 8427) by debbugs.gnu.org; 19 Oct 2021 11:58:14 +0000 Received: from localhost ([127.0.0.1]:49718 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mcnl0-0004mR-5N for submit@debbugs.gnu.org; Tue, 19 Oct 2021 07:58:14 -0400 Received: from eggs.gnu.org ([209.51.188.92]:55880) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mcnky-0004mF-Jk for 8427@debbugs.gnu.org; Tue, 19 Oct 2021 07:58:13 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:50042) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mcnkt-0006Xm-99; Tue, 19 Oct 2021 07:58:07 -0400 Received: from [87.69.77.57] (port=3474 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mcnko-0005BE-K2; Tue, 19 Oct 2021 07:58:04 -0400 Date: Tue, 19 Oct 2021 14:58:11 +0300 Message-Id: <83pms1cjl8.fsf@gnu.org> From: Eli Zaretskii To: Michael Mauger In-Reply-To: (message from Michael Mauger on Tue, 19 Oct 2021 04:37:23 +0000) Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing References: <83y2utli1y.fsf@gnu.org> <87k0wnpabe.fsf@gnus.org> <83pms8n5m2.fsf@gnu.org> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 8427 Cc: michael.albinus@gmx.de, larsi@gnus.org, 8427@debbugs.gnu.org, stefan@marxist.se, ahyatt@gmail.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > Date: Tue, 19 Oct 2021 04:37:23 +0000 > From: Michael Mauger > Cc: Eli Zaretskii , larsi@gnus.org, michael.albinus@gmx.de, 8427@debbugs.gnu.org, ahyatt@gmail.com > > I've pushed to master for now. I'll test this week and decide then whether I push to emacs-28. If you decide to backport to emacs-28, please cherry-pick from master, instead of making a separate independent commit, because cherry-picks are automatically skipped when emacs-28 branch is merged to master (which happens almost daily these days). Thanks. From debbugs-submit-bounces@debbugs.gnu.org Tue Oct 19 08:06:11 2021 Received: (at 8427) by debbugs.gnu.org; 19 Oct 2021 12:06:11 +0000 Received: from localhost ([127.0.0.1]:49737 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mcnsh-0004za-6V for submit@debbugs.gnu.org; Tue, 19 Oct 2021 08:06:11 -0400 Received: from mout.gmx.net ([212.227.17.22]:34187) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mcnse-0004zM-LU for 8427@debbugs.gnu.org; Tue, 19 Oct 2021 08:06:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1634645159; bh=1ue+/9lIY2gf6aTw+mS9CBmtBhjYMcLIuiSbmzn5hFQ=; h=X-UI-Sender-Class:From:To:Cc:Subject:References:Date:In-Reply-To; b=Vk73tFbqbNDk7PkLYkrBz+gId4IhzUf7jq7nks3l/CTnAn9AgequavjSJZbbbyhU3 yZV+Ip2OShXIukwdyGsQA0oh5TRYjEhfvFZ9gDYOF7W1ijXJgpNDQrapcPlJDspq2Q 5YByEg+xNQzoQvnRTtnpZKWlhqEOyX3tAetyJK08= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from gandalf.gmx.de ([212.91.242.175]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MIdif-1mXWXy0qUX-00EcEh; Tue, 19 Oct 2021 14:05:59 +0200 From: Michael Albinus To: Eli Zaretskii Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing References: <83y2utli1y.fsf@gnu.org> <87k0wnpabe.fsf@gnus.org> <83pms8n5m2.fsf@gnu.org> <83pms1cjl8.fsf@gnu.org> Date: Tue, 19 Oct 2021 14:05:57 +0200 In-Reply-To: <83pms1cjl8.fsf@gnu.org> (Eli Zaretskii's message of "Tue, 19 Oct 2021 14:58:11 +0300") Message-ID: <874k9djk2i.fsf@gmx.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Provags-ID: V03:K1:8HquVq5NJLuSMzN8/MSg4egum7g34r9u6HZV8huPqfZP5eqmnv0 cxwRYkaGU8VsOizWE1yzVPMgi3BadfYd7Zrimy7sTfTKy9DU5DqKg9ebsFk0ZhrAEhHhph/ LMbnXl3BRZckfM8EEAsCNIgoRlLrUPphYqp0j6xDOuGYDhuZPsGNY8qAoLWHodkPe1E+YJ2 6sPzktD1dkDmdVCJgQOkw== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:dJSQ7yRAQN4=:Y/K3R48OxGpDmWrPWuUzhn Nef/IBumIdp778aHZr0//kpUMsFv1BREWxY1S8Qa9xReI9zZvFVlue2pWNxJJxWTyLWUiR+YX PIOmVYLrkSjpmy520VXmfOAt1EyUqbUJc9JPLZtmAFcwKhYuDs5R+EwCt5gFr7fKQFPslHE5C TMwX1aRkNp8DWWK3lqlvlLdIP+4CC6lieuQipoFJ+8XvsEAzXAeFtCB7nGprU7Pzj454uLYQd JbXTEeN7hU1ux8HMnl5Hto9PMQfn86SO+uND1Q+GSzSgOBARvb2Z326+WOoEbSqlXBXKXTXz8 y0eehC44AZ1YlkULn2217gluDergTL+ggt6sew8iS6lCPzbJFihpByPbqTNM8yHvrxQwZ0JSw LhWGeSv3T/jQL+1Cs6Bd/54rHUbiZoypP8E4wr43/rnJ9ES8taPu4XR/38S1/wr1ihn8oUe3/ eFMJB1tkiZQv7zmeQHLGm44f0u/UQQ+TLl5I2QbJZ+xJITAcTuyuSiCsDRHv781RxwLGbShgw 0/8RmXPM6XhSQPdcMibMumqK1egpGaYF05BKQR/ZSSVLihxgp36x4ItwUAqF1pyalY3XtyO3J U6mlOEBquDAVvT1InZCSEDCXcuzuC8187pHsJcPBcNR4lZoELlEb/PkfG1vlMTRd9ZYDtkMR5 P2Jy2hR9j+37on8wBsEcYLIHpFTnJR2U6dVxOpClyskLe+FNNmYkmY7SXe42FN2ukVKlYb5qE CyHbQEfiPzsoJJpXGx8vMtsZdXW5xf85rAlK+HQLt60KwYPB4pxSHq2DffNvNEkm5D9PayZGa pV2zbBYVO2otDiqG7MFzJZADl5k8AEzmtak6cMFvb3tGqGQnw+ycWs8jm7YhlXg/6H8z1t+Qk eS31wlfz6soLRKEpPdp8Hqji5/JoWwAsOUorA3sOESI858zqiVPBcCyAQ4tqYaOaDpiNBXI8l V8Q43PjcqmA+f01YQaBc34Ov/DAfFbUdO0wqz2duxPO5d1TzE8V2iFk2wJi4dXjuBsFMu7PPm FNAFG2fqGzsATSJmDaO2f/l7BwKQTAlkp0/HBztGyLT14kJzBJEGfPex4bNOcVtugkuT3BpPj SGRrnA5Zb4m4GI= X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 8427 Cc: stefan@marxist.se, larsi@gnus.org, 8427@debbugs.gnu.org, Michael Mauger , ahyatt@gmail.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Eli Zaretskii writes: >> I've pushed to master for now. I'll test this week and decide then whether I push to emacs-28. > > If you decide to backport to emacs-28, please cherry-pick from master, > instead of making a separate independent commit, because cherry-picks > are automatically skipped when emacs-28 branch is merged to master > (which happens almost daily these days). Except the etc/NEWS change. This file differs heavily between emacs-28 and master branches. Furthermore, I have fixed some oddities in that file wrt this change. > Thanks. Best regards, Michael. From debbugs-submit-bounces@debbugs.gnu.org Fri Nov 05 03:11:34 2021 Received: (at 8427) by debbugs.gnu.org; 5 Nov 2021 07:11:34 +0000 Received: from localhost ([127.0.0.1]:44509 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mitNt-0006ap-Sw for submit@debbugs.gnu.org; Fri, 05 Nov 2021 03:11:34 -0400 Received: from mail-pl1-f174.google.com ([209.85.214.174]:44999) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mitNr-0006aU-Ty for 8427@debbugs.gnu.org; Fri, 05 Nov 2021 03:11:32 -0400 Received: by mail-pl1-f174.google.com with SMTP id t11so10505349plq.11 for <8427@debbugs.gnu.org>; Fri, 05 Nov 2021 00:11:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=McDr/c4HXihBB++A930P5NOgJFSuimW3d9v8NG7TN4o=; b=iE/FllwDsTw28Z0RnlrHFrRhReHyGNmlbZibJVMxKZLj7gmfkln9jkDOEJ+xCbQvnn ZLd5fuRfSaa5cbnTy5pqO1+lBTkO8oeNiqaUoYDTPZIPJItVIjEknw0oe+Vt6CmqzrhD t/4/Ceoi5ijZzaqZIXgubafT5zcDmTbuUqfepXs/9i90U17icrWn5qTce0n8F5MCIBmJ oiSGnQ9aN3A10lZujdwb62FfKOj1bI+A1ONt9vw9K9hbrSit8jC/R17cgYn/fNWPybQr EB55vIDPtkgj/F0i/myBC0HZ90gAX9kJ8ZZXKV3KdCb5xFFxweuCgWY0iVOdg58lSzin iX/A== X-Gm-Message-State: AOAM5325ES/bNNWXg9+0mkonJAuSlhE4Dw8LEQYU2451wP5NDgfw35Xg gZFOsBOBKeZEWeuVzlRt5y7WxLIZFhPN6JGvi7k= X-Google-Smtp-Source: ABdhPJwuxNId0sl0BY9nb8zIQjTRpEdxTLc3jF4Bz65O5xFl7sRic1nMcembgQm2BnQYXEbSb5yMOdkdGrzmRHssEMI= X-Received: by 2002:a17:90b:1e0e:: with SMTP id pg14mr27773685pjb.143.1636096286384; Fri, 05 Nov 2021 00:11:26 -0700 (PDT) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Fri, 5 Nov 2021 00:11:26 -0700 From: Stefan Kangas In-Reply-To: References: <83y2utli1y.fsf@gnu.org> <87k0wnpabe.fsf@gnus.org> <83pms8n5m2.fsf@gnu.org> MIME-Version: 1.0 Date: Fri, 5 Nov 2021 00:11:26 -0700 Message-ID: Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing To: Michael Mauger Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.5 (/) X-Debbugs-Envelope-To: 8427 Cc: ahyatt@gmail.com, Eli Zaretskii , 8427@debbugs.gnu.org, michael.albinus@gmx.de, larsi@gnus.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.5 (/) close 8427 29.1 thanks Michael Mauger writes: > I've pushed to master for now. I'll test this week and decide then > whether I push to emacs-28. Since the fix has been installed on master, I'm closing this bug. We can still discuss here for up to 30 days before the bug is archived, in case there is anything relating to cherry-picking the patch to the emacs-28 branch. Thank you Andrew for writing the patch and Michael for reviewing and installing it! From unknown Sat Jun 21 10:44:59 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Fri, 03 Dec 2021 12:24:06 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator