unofficial mirror of bug-gnu-emacs@gnu.org 
 help / color / mirror / code / Atom feed
From: Andrew Hyatt <ahyatt@gmail.com>
To: Michael Mauger <mmauger@protonmail.com>
Cc: "8427@debbugs.gnu.org" <8427@debbugs.gnu.org>,
	Stefan Kangas <stefan@marxist.se>
Subject: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing
Date: Fri, 01 Nov 2019 21:10:46 -0400	[thread overview]
Message-ID: <menftj7ytex.fsf@ahyatt-macbookpro6.roam.corp.google.com> (raw)
In-Reply-To: <-DPnoQRPO3mztTMZP0CLEkVHEueQfRbf1NL2NMBa_alnqjzctP5kLNyD-Gd_yioQqTu-QiEXfLGzidBeSrX0jY_-tlyrBEnMU5Mo5febRng=@protonmail.com> (Michael Mauger's message of "Mon, 21 Oct 2019 20:33:09 +0000")

Michael Mauger <mmauger@protonmail.com> writes:

> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Sunday, October 20, 2019 8:56 PM, Andrew Hyatt <ahyatt@gmail.com> wrote:
>
>>
>>
>> Thanks for the insightful comments - yes, everything you say makes
>> sense. I've implemented what you describe. However, I'm a little unsure
>> of this one - I had to advise a comint primitive and even re-implement
>> part of an existing comint function. It feels like comint should perhaps
>> have a way to do this sort of thing within itself, but I couldn't find
>> any.
>>
>> I've attached the latest revision.
>>
>> Stefan Kangas stefan@marxist.se writes:
>>
>> > (Please keep the bug address in Cc.)
>> > Andrew Hyatt ahyatt@gmail.com writes:
>> >
>> > > I'm attaching the fix. The fix for MySQL was fairly straightforward. I
>> > > tried it out, and it works.
>> >
>> > I'm not sure this is the right fix. How is the user to know that the
>> > correct thing is to provide an empty password when prompted for it?
>> > Why do we even prompt for the password then?
>> > Also, what if a user wants to login to an account that has no
>> > password? Should we really pass the "--password" parameter in that
>> > case? Does that work?
>> > I think something like this would be better:
>> >
>> > 1.  Keep the password prompt.
>> > 2.  Use the naked "--password" parameter only when the user has
>> >     entered a password, and use nothing when the user entered nothing.
>> >
>> > 3.  Never use the "--password=<foo>" parameter.
>> > 4.  When mysql prompts for the password, send it to the process
>> >     automatically, without user interaction.
>> >
>> >
>> > > I looked through sql.el for similar issues,
>> > > and was able to fix Vertica as well, although I've never heard of
>> > > Vertica before and couldn't test it out. Parameters were set according
>> > > to the docs at
>> > > https://www.vertica.com/docs/9.2.x/HTML/Content/Authoring/ConnectingToVertica/vsql/CommandLineOptions.htm,
>> > > which does match the existing code.
>> >
>> > Unless someone can test it, perhaps we should leave out the Vertica part?
>> > Thanks for working on this.
>> > Best regards,
>> > Stefan Kangas
>
> I have tried a couple of different versions of this in the past but have found a lot of corner cases that made me back off.
>
> Some thoughts:
>
> * The login-params function will set `sql-password' to nil if it isn't a
> parameter being prompted for and is not set otherwise. If it is prompted for and
> empty the variable will be an empty string not nil. We need some test cases
> written to confirm that the behavior is as we expect. Small shell scripts can be
> created to simulate the SQL processor for the general flow. The test scripts
> should be included in the commit for this feature.
>
> * Only supply the password using the comint password filter if support for
> passing the password on stdin is supported and expected in this instance. This
> would probably be a flag set in the `sql-PRODUCT-comint-func' (based on the
> command line logic) and set as a buffer local in the buffer. The comint filter
> would then check the flag before trying to stuff the password into the stream.
> That avoids sending a database password to a prompt that is for other purposes.
> Also does this have to be advice to the comint filter or just another filter
> installed on the comint hook? (Policy is that standard Emacs packages do not use
> advice and the hook is present and used by the existing hook.)
>
> * Only send the password to the first time a password is asked for. Some
> interactive sql processes allow changing the connection mid-session and the
> password for the original username may not be appropriate for the new connection
> they made. This is especially true in enterprise environments where password
> failures can be set to disable the database user.

Your advice is good, but following it led me to some complexity I can't
seem to get away from. Perhaps you have some insight, so let me explain.
The issue is that, yes, I can not advise the comint function. However,
if I supply my own function, then I have to remove the
comint-watch-for-password-prompt, supply my own function, then restore
it when the user has entered their password (so it can handle subsequent
password entries).  This juggling of the normal
comint-watch-for-password-prompt method, plus the fact that we basically
have to reimplement part of it, gives me pause - I think it's probably
too hacky a solution.

There's a few ways out.  We could introduce a variable used in
sql-product-alist that tells SQL not to prompt for a password because
the db will just get it via the comint password function.  That would
probably work well, but it wouldn't store the sql-password at all, that
variable would be unused.  Maybe that's OK, maybe not - I don't have a
good sense for it.

Or, we could make this auto-password-supplying per-buffer a part of
comint itself.  That would widen the scope of the fix, but it would
probably be the best of both functionality and simplicity.

What do you think?

>
> * Please do not alter indenting of existing code not involved in the change; the indentation is deliberate in some cases and the spurious changes just generate noise in the diffs. Thanks.
>
> * Are we adding a flag to the `sql-product-alist' to indicate that passwords may
> be passed via stdin? I would recommend that we do so because that way it can be
> globally disabled if the environment calls for it. For example, a user may want
> to supply it on the command line because it is not a concen in their
> environment. Some database products support passing the password this way, but
> also alter the command line parameters to mask out the actual password so that
> the `ps' exposure is fairly small.
>
> Thanks working on this but I'm still concerned that we could break existing use of sql-interactive-mode unintentionally.
>
> --
> MICHAEL@MAUGER.COM // FSF and EFF member // GNU Emacs sql.el maintainer





  reply	other threads:[~2019-11-02  1:10 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-04-05 11:27 bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing Jari Aalto
2012-02-28 23:35 ` bug#8427: (no subject) Michael Mauger
2014-03-06  2:06 ` bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing Glenn Morris
2014-03-07 23:02   ` Stefan Monnier
2018-01-07 17:54     ` Andrew Hyatt
2019-10-06  3:28 ` Stefan Kangas
2019-10-13  1:51   ` Andrew Hyatt
2019-10-13 22:09     ` Stefan Kangas
     [not found]       ` <meny2xh8p4o.fsf@ahyatt-macbookpro6.roam.corp.google.com>
2019-10-20 15:57         ` bug#8427: Fwd: " Stefan Kangas
2019-10-20 16:02           ` Stefan Kangas
2019-10-21  0:56             ` Andrew Hyatt
2019-10-21 20:33               ` Michael Mauger via Bug reports for GNU Emacs, the Swiss army knife of text editors
2019-11-02  1:10                 ` Andrew Hyatt [this message]
2019-11-02 19:41                   ` Michael Mauger via Bug reports for GNU Emacs, the Swiss army knife of text editors
2019-11-11  5:31                     ` Andrew Hyatt
2019-12-16  4:59                       ` Andrew Hyatt
2019-12-16 15:12                         ` Michael Mauger via Bug reports for GNU Emacs, the Swiss army knife of text editors
2019-12-18  6:15                           ` Andrew Hyatt
2019-12-18 12:45                             ` Michael Mauger via Bug reports for GNU Emacs, the Swiss army knife of text editors
2019-12-18 16:57                               ` Eli Zaretskii
2019-12-18 17:52                                 ` Michael Mauger via Bug reports for GNU Emacs, the Swiss army knife of text editors
2019-12-30 15:11                                   ` Andrew Hyatt
2019-12-30 18:34                                     ` Michael Albinus
2019-12-30 19:26                                       ` Andrew Hyatt
2019-12-30 19:39                                         ` Eli Zaretskii
2019-12-30 23:36                                           ` Michael Mauger via Bug reports for GNU Emacs, the Swiss army knife of text editors
2020-09-21 12:45                                             ` Lars Ingebrigtsen
2021-10-12  5:05                                               ` Stefan Kangas
2021-10-13 16:05                                                 ` Michael Mauger via Bug reports for GNU Emacs, the Swiss army knife of text editors
2021-10-13 17:47                                                   ` Stefan Kangas
2021-10-13 18:26                                                     ` Eli Zaretskii
2021-10-13 21:26                                                       ` Stefan Kangas
2021-10-19  4:37                                                         ` Michael Mauger via Bug reports for GNU Emacs, the Swiss army knife of text editors
2021-10-19 11:58                                                           ` Eli Zaretskii
2021-10-19 12:05                                                             ` Michael Albinus
2021-11-05  7:11                                                           ` Stefan Kangas

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=menftj7ytex.fsf@ahyatt-macbookpro6.roam.corp.google.com \
    --to=ahyatt@gmail.com \
    --cc=8427@debbugs.gnu.org \
    --cc=mmauger@protonmail.com \
    --cc=stefan@marxist.se \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).