GNU bug report logs - #8427
[SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing

Previous Next

Package: emacs;

Reported by: Jari Aalto <jari.aalto <at> cante.net>

Date: Tue, 5 Apr 2011 11:28:01 UTC

Severity: normal

Tags: security

Found in version 23.2+1-7

Fixed in version 29.1

Done: Stefan Kangas <stefan <at> marxist.se>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Andrew Hyatt <ahyatt <at> gmail.com>
To: Stefan Kangas <stefan <at> marxist.se>
Cc: Glenn Morris <rgm <at> gnu.org>, 8427 <at> debbugs.gnu.org, Stefan Monnier <monnier <at> iro.umontreal.ca>
Subject: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing
Date: Sat, 12 Oct 2019 21:51:33 -0400

[Message part 1 (text/plain, inline)]
On Sat, Oct 5, 2019 at 11:28 PM Stefan Kangas <stefan <at> marxist.se> wrote:

> Hi Andrew,
>
> Andrew Hyatt <ahyatt <at> gmail.com> writes:
>
> > This is fairly easy to fix - mysql can check to see if the user entered
> > a blank for the password prompt, and instead of not sending a password,
> > send just the "--password" argument so the user can enter it into the
> > process instead of the command line.  I have a fix ready to check in
> > that works for mysql (I'm not sure which other products support that).
>
> I think using an empty "--pasword" parameter sounds like the right fix.
> That makes mysql prompt for the password, and we could supply it there
> instead.  I guess that's what you meant?
>
> Could you perhaps send your patch here for review?
>

I no longer know where my changes are.   It's been a while.  But I think I
can probably recreate them, which I'll try to do this week.


>
> > Alternatively, we can just have a variable that controls whether
> > passwords are asked for on the command line at all (if sql-password is
> > unset), which could default to nil, making the security better by
> > default.
>
> I'm not sure what this means, but I guess the above fix should be
> enough.  Perhaps I'm missing something.
>

The idea is that instead of connecting with the --password arg, it can be
left out entirely, in which case the program should ask for it (which is
secure).


>
> > BTW, I guess the attack here is that another user process can use
> > something like strace to snoop on emacs's child processeses and obtain
> > the mysql password?
>
> Well, according to the threads linked earlier this can still be a
> problem on Solaris, where the password is visible to all users if they
> just run "ps".  Perhaps it's been fixed since whenever these comments
> were written though...


> > Stefan Monnier <monnier <at> iro.umontreal.ca> writes:
> >
> >>> Apparently, no they cannot, since mysql replaces the password
> characters
> >>> with x's:
> >>
> >> Of course, that still leaves the chars exposed during a short time
> window.
>
> And as Stefan explains here the password is still exposed during a
> short time window even on GNU/Linux.  AFAIU, it's a possible race
> attack which it would be nice to avoid.
>

Yes, I think the solutions I presented should fix this.  Stay tuned for a
patch.


>
> Best regards,
> Stefan Kangas
>

[Message part 2 (text/html, inline)]
This bug report was last modified 3 years and 201 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.