GNU bug report logs -
#8427
[SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing
Previous Next
Reported by: Jari Aalto <jari.aalto <at> cante.net>
Date: Tue, 5 Apr 2011 11:28:01 UTC
Severity: normal
Tags: security
Found in version 23.2+1-7
Fixed in version 29.1
Done: Stefan Kangas <stefan <at> marxist.se>
Bug is archived. No further changes may be made.
Full log
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Package: emacs
Version: 23.2+1-7
Severity: serious
Tags: security
There is a big security problem with sql.el:
M-x sql-mysql
<Fill in the connection details: user, password ...>
At command line, anyone in multi-user environment can dig out the
passwords:
$ ps -ef -o user,pid,args | grep mysql # ps(1) under SUN/Solaris
foo 9599 /usr/local/bin/mysql --user=foo --password=123456 --host=db.example.com
bar 3732 /usr/local/bin/mysql --user=bar --password=abcdef --host=db.example.com
Jari
P.S mysql(1) mentions that you can set database options in ~/.my.cnf file.
MySQL case, there is in manual page:
-- System Information
Debian Release: wheezy/sid
APT Prefers testing
APT policy: (990, testing) (500, unstable) (1, experimental)
Architecture: amd64
Kernel: Linux picasso 2.6.32-5-amd64 #1 SMP Wed Jan 12 03:40:32 UTC 2011 x86_64 GNU/Linux
Locale: LANG=en_US.UTF-8, LC_ALL=
-- Versions of packages `emacs depends on'.
Depends:
emacs23 23.2+1-7 GNU Emacs is the extensible self-documenting
emacs23-lucid 23.2+1-7 GNU Emacs is the extensible self-documenting
emacs23-nox 23.2+1-7 GNU Emacs is the extensible self-documenting
This bug report was last modified 3 years and 201 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.