GNU bug report logs - #8427
[SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing

Previous Next

Package: emacs;

Reported by: Jari Aalto <jari.aalto <at> cante.net>

Date: Tue, 5 Apr 2011 11:28:01 UTC

Severity: normal

Tags: security

Found in version 23.2+1-7

Fixed in version 29.1

Done: Stefan Kangas <stefan <at> marxist.se>

Bug is archived. No further changes may be made.

Full log

Message #15 received at 8427 <at> debbugs.gnu.org (full text, mbox):

From: Glenn Morris <rgm <at> gnu.org>
To: 8427 <at> debbugs.gnu.org
Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are
 leaked to ps(1) listing
Date: Wed, 05 Mar 2014 21:06:16 -0500

Jari Aalto wrote:

> There is a big security problem with sql.el:
>
>     M-x sql-mysql
>     <Fill in the connection details: user, password ...>
>
> At command line, anyone in multi-user environment can dig out the
> passwords:
>
>    $ ps -ef -o user,pid,args | grep mysql       # ps(1) under SUN/Solaris
>    foo  9599 /usr/local/bin/mysql --user=foo --password=123456 --host=db.example.com
>    bar  3732 /usr/local/bin/mysql --user=bar --password=abcdef --host=db.example.com

Apparently, no they cannot, since mysql replaces the password characters
with x's:

http://www.lenzg.net/archives/256-basic-mysql-security-providing-passwords-on-the-command-line.html

I tested it and it is so hidden for me.


Also, with recent Linux kernels, you can enable the procfs "hidepid"
feature to prevent this entire class of information leakage.


So I don't think Emacs needs to do anything but maybe add a warning
statement to the doc string.

Downgrading bug severity accordingly.
This bug report was last modified 3 years and 201 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.