From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Michael Mauger Newsgroups: gmane.emacs.bugs Subject: bug#8427: (no subject) Date: Tue, 28 Feb 2012 15:35:25 -0800 (PST) Message-ID: <1330472125.33805.YahooMailNeo@web126004.mail.ne1.yahoo.com> References: <87fwpxdjlk.fsf@blue.sea.net> Reply-To: Michael Mauger NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="1688457910-1661909595-1330472125=:33805" X-Trace: dough.gmane.org 1330473225 6249 80.91.229.3 (28 Feb 2012 23:53:45 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Tue, 28 Feb 2012 23:53:45 +0000 (UTC) To: "8427@debbugs.gnu.org" <8427@debbugs.gnu.org> Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Wed Feb 29 00:53:44 2012 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1S2WrX-0004sO-Jv for geb-bug-gnu-emacs@m.gmane.org; Wed, 29 Feb 2012 00:53:43 +0100 Original-Received: from localhost ([::1]:46137 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1S2WrX-00041D-2A for geb-bug-gnu-emacs@m.gmane.org; Tue, 28 Feb 2012 18:53:43 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:33256) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1S2WeU-0001S4-1T for bug-gnu-emacs@gnu.org; Tue, 28 Feb 2012 18:40:15 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1S2WeS-0000m7-A0 for bug-gnu-emacs@gnu.org; Tue, 28 Feb 2012 18:40:13 -0500 Original-Received: from debbugs.gnu.org ([140.186.70.43]:48037) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1S2WeS-0000lw-48 for bug-gnu-emacs@gnu.org; Tue, 28 Feb 2012 18:40:12 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.72) (envelope-from ) id 1S2WdJ-0002si-Pz; Tue, 28 Feb 2012 18:39:01 -0500 X-Loop: help-debbugs@gnu.org In-Reply-To: <87fwpxdjlk.fsf@blue.sea.net> Resent-From: Michael Mauger Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 28 Feb 2012 23:39:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 8427 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 8427-submit@debbugs.gnu.org id=B8427.133047231711030 (code B ref 8427); Tue, 28 Feb 2012 23:39:01 +0000 Original-Received: (at 8427) by debbugs.gnu.org; 28 Feb 2012 23:38:37 +0000 Original-Received: from localhost ([127.0.0.1]:54865 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1S2Wcq-0002rU-8r for submit@debbugs.gnu.org; Tue, 28 Feb 2012 18:38:37 -0500 Original-Received: from nm13-vm1.bullet.mail.ne1.yahoo.com ([98.138.91.62]:43919) by debbugs.gnu.org with smtp (Exim 4.72) (envelope-from ) id 1S2Wa6-0002mI-4F for 8427@debbugs.gnu.org; Tue, 28 Feb 2012 18:35:48 -0500 Original-Received: from [98.138.90.49] by nm13.bullet.mail.ne1.yahoo.com with NNFMP; 28 Feb 2012 23:35:25 -0000 Original-Received: from [98.138.89.171] by tm2.bullet.mail.ne1.yahoo.com with NNFMP; 28 Feb 2012 23:35:25 -0000 Original-Received: from [127.0.0.1] by omp1027.mail.ne1.yahoo.com with NNFMP; 28 Feb 2012 23:35:25 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 876842.51468.bm@omp1027.mail.ne1.yahoo.com Original-Received: (qmail 39559 invoked by uid 60001); 28 Feb 2012 23:35:25 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1330472125; bh=RwqbTUqDlwUMp4qSuP6cZMcDUEax4gMMn81VrwYoHfs=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:Message-ID:Date:From:Reply-To:To:MIME-Version:Content-Type; b=sBVoVgdlMtwqqwLJxLZcPRiXojfe+hnCS5yJskoZVNE2ocloEfce0Af34JGOXSuo5YpFVOFEBVJzHt2VSk3XAqGEuqh92frT4me65vH9uzIR89Olz4f7xXden4aPiCpzTYTpid65lv9yetP9/b1gui+mlstDg2lfru3Cu+4B5eI= X-YMail-OSG: WWZcQeMVM1mBS2cwxLSXSPkhoUP6mGrPvoEehcSWGzqyz44 otRTfsLUVoMYYg3WZHkPojK1eqMQbHyJIE89f6IsRWseqW4RYElYNLj.k3S7 9GPPe_24bjJEgTw60xOMtiMH9LjwJBFjkn64EIKrqo6mhfzVc1O9nMGqYndH 3kDJcEoTmwc3jP2FLUMYoRnwKqGAjmraE6sQ2VzD1P7BQ8eTJgxuGSN5Jmwp 98y.fs4OCAJ580kaQCRHQEPuOFezdEcVjxasavXs0ZqHAioxWxsytyfTm.XV nY4v27BqVaAzoKLHFlBslH6bMwt3yptKidpG0CjH9tiO0D1sfuxDDyFofzqq dEuthBWcudF6XBUU344FK6dI2h3Fzv2op5Y9p1Fyp71L1QbzV4_Y7MrV5_8. rmiBMXy_qUJg2nBWsALce56NYMcYPul7wgefjwCBF_T2VjgXmnWFDKhl5vQ- - Original-Received: from [98.216.52.54] by web126004.mail.ne1.yahoo.com via HTTP; Tue, 28 Feb 2012 15:35:25 PST X-RocketYMMF: mmaug X-Mailer: YahooMailWebService/0.8.116.338427 X-Mailman-Approved-At: Tue, 28 Feb 2012 18:38:20 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-Received-From: 140.186.70.43 X-Mailman-Approved-At: Tue, 28 Feb 2012 18:53:41 -0500 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:57377 Archived-At: --1688457910-1661909595-1330472125=:33805 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable This is not a problem with just sql-mysql, its an issue with all database p= roducts that require a password. =A0MySql is one of the few that covers the= ir tracks after they start up. When sql.el starts up one of these product i= nterpreters that require a password, it embeds the password in the command = line. =A0If the operating system, such as GNU/Linux, displays the full comm= and line of executing processes, the vulnerability exists.=0A=0AThe alterna= tive is to rely upon the operating system's authentication and authorizatio= n so that explicit credentials do not need to be passed to the command inte= rpreter on the command line. =A0The one other solution provided by a couple= of database products allow the credentials to be sent via an I/O channel w= hich would hide them from prying eyes, but may be more difficult to support= cross platform.=0A=0AI'm open to including a warning about the potential v= ulnerability -- wording suggestions appreciated. =A0Alternative solutions a= lso welcome. --1688457910-1661909595-1330472125=:33805 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
This is not a problem with = just sql-mysql, its an issue with all database products that require a pass= word.  MySql is one of the few that covers their tracks after they sta= rt up. When sql.el starts up one of these product interpreters that require= a password, it embeds the password in the command line.  If the opera= ting system, such as GNU/Linux, displays the full command line of executing= processes, the vulnerability exists.

The alternat= ive is to rely upon the operating system's authentication and authorization= so that explicit credentials do not need to be passed to the command inter= preter on the command line.  The one other solution provided by a coup= le of database products allow the credentials to be sent via an I/O channel= which would hide them from prying eyes, but may be more difficult to support cross platform.

I'm open to including a w= arning about the potential vulnerability -- wording suggestions appreciated= .  Alternative solutions also welcome.
--1688457910-1661909595-1330472125=:33805--