bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps

From: Andrew Hyatt
Subject: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing
Date: Sat, 12 Oct 2019 21:51:33 -0400
On Sat, Oct 5, 2019 at 11:28 PM Stefan Kangas <stefan@marxist.se> wrote:
Hi Andrew,

Andrew Hyatt <ahyatt@gmail.com> writes:

> This is fairly easy to fix - mysql can check to see if the user entered
> a blank for the password prompt, and instead of not sending a password,
> send just the "--password" argument so the user can enter it into the
> process instead of the command line.  I have a fix ready to check in
> that works for mysql (I'm not sure which other products support that).

I think using an empty "--pasword" parameter sounds like the right fix.
That makes mysql prompt for the password, and we could supply it there
instead.  I guess that's what you meant?

Could you perhaps send your patch here for review?

I no longer know where my changes are.   It's been a while.  But I think I can probably recreate them, which I'll try to do this week.
 

> Alternatively, we can just have a variable that controls whether
> passwords are asked for on the command line at all (if sql-password is
> unset), which could default to nil, making the security better by
> default.

I'm not sure what this means, but I guess the above fix should be
enough.  Perhaps I'm missing something.

The idea is that instead of connecting with the --password arg, it can be left out entirely, in which case the program should ask for it (which is secure).  
 

> BTW, I guess the attack here is that another user process can use
> something like strace to snoop on emacs's child processeses and obtain
> the mysql password?

Well, according to the threads linked earlier this can still be a
problem on Solaris, where the password is visible to all users if they
just run "ps".  Perhaps it's been fixed since whenever these comments
were written though... 

> Stefan Monnier <monnier@iro.umontreal.ca> writes:
>
>>> Apparently, no they cannot, since mysql replaces the password characters
>>> with x's:
>>
>> Of course, that still leaves the chars exposed during a short time window.

And as Stefan explains here the password is still exposed during a
short time window even on GNU/Linux.  AFAIU, it's a possible race
attack which it would be nice to avoid.

Yes, I think the solutions I presented should fix this.  Stay tuned for a patch.
 

Best regards,
Stefan Kangas
reply via email to
[Prev in Thread] Current Thread [Next in Thread]