From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Andrew Hyatt <ahyatt@gmail.com>
Newsgroups: gmane.emacs.bugs
Subject: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to
	ps(1) listing
Date: Sun, 07 Jan 2018 12:54:31 -0500
Message-ID: <menlgh98sh4.fsf@ahyatt-macbookpro6.roam.corp.google.com>
References: <87fwpxdjlk.fsf@blue.sea.net> <2swqg8rsh3.fsf@fencepost.gnu.org>
	<jwva9d1fw9a.fsf-monnier+emacsbugs@gnu.org>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: blaine.gmane.org 1515347606 29205 195.159.176.226 (7 Jan 2018 17:53:26 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Sun, 7 Jan 2018 17:53:26 +0000 (UTC)
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (darwin)
Cc: 8427@debbugs.gnu.org
To: Stefan Monnier <monnier@iro.umontreal.ca>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sun Jan 07 18:53:22 2018
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1eYF8G-00071e-1O
	for geb-bug-gnu-emacs@m.gmane.org; Sun, 07 Jan 2018 18:53:16 +0100
Original-Received: from localhost ([::1]:60825 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1eYFAF-0002Cs-Eb
	for geb-bug-gnu-emacs@m.gmane.org; Sun, 07 Jan 2018 12:55:19 -0500
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:35289)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eYFA2-00025a-GN
	for bug-gnu-emacs@gnu.org; Sun, 07 Jan 2018 12:55:07 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eYF9z-0000sH-DR
	for bug-gnu-emacs@gnu.org; Sun, 07 Jan 2018 12:55:06 -0500
Original-Received: from debbugs.gnu.org ([208.118.235.43]:59379)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1eYF9z-0000s6-A9
	for bug-gnu-emacs@gnu.org; Sun, 07 Jan 2018 12:55:03 -0500
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eYF9z-0003HS-43
	for bug-gnu-emacs@gnu.org; Sun, 07 Jan 2018 12:55:03 -0500
X-Loop: help-debbugs@gnu.org
Resent-From: Andrew Hyatt <ahyatt@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Sun, 07 Jan 2018 17:55:03 +0000
Resent-Message-ID: <handler.8427.B8427.151534768812574@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 8427
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: security
Original-Received: via spool by 8427-submit@debbugs.gnu.org id=B8427.151534768812574
	(code B ref 8427); Sun, 07 Jan 2018 17:55:03 +0000
Original-Received: (at 8427) by debbugs.gnu.org; 7 Jan 2018 17:54:48 +0000
Original-Received: from localhost ([127.0.0.1]:39825 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1eYF9k-0003Gk-01
	for submit@debbugs.gnu.org; Sun, 07 Jan 2018 12:54:48 -0500
Original-Received: from mail-qk0-f182.google.com ([209.85.220.182]:43000)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <ahyatt@gmail.com>) id 1eYF9j-0003GY-0e
	for 8427@debbugs.gnu.org; Sun, 07 Jan 2018 12:54:47 -0500
Original-Received: by mail-qk0-f182.google.com with SMTP id d202so11677111qkc.9
	for <8427@debbugs.gnu.org>; Sun, 07 Jan 2018 09:54:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; 
	h=from:to:cc:subject:references:date:in-reply-to:message-id
	:user-agent:mime-version;
	bh=ObqPoT58TUuEqeHfzM+b4wQ2Z6w3P4w2YqkOawfjsts=;
	b=Mxzyxrd4raOVCrUhFp9+RDgANshPrviRhROyTytIGaj7nUE5n0/SlGAG6YNjIlnasd
	yT6kFMwY4Z5xCx/nDiM4OY+WaPJSSLQYzWXFNQL3CsVqlBwpgfOnkQl/M3cFJqSvRIcK
	AZvO9nH3ZJOOKuTm3O/p+AnModTu35WbYS+S9YUxKiPPaitojNljLbpC3l+5w27LPr4W
	AxqTZBcuRqNXpNHYskYku17JW7tMtpFW4h/GZQTcUVlMziPs/Rr+3dxBkRSZNMwraFZS
	rHoixNNL8s+xsC+hIiSjSx49TkWTnjDkL3U74GlOTaVWeolnzzVXhPn8BQJEXqzp2UPX
	w7YA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
	:message-id:user-agent:mime-version;
	bh=ObqPoT58TUuEqeHfzM+b4wQ2Z6w3P4w2YqkOawfjsts=;
	b=UTe5wjcmMVLSuQbdwOLQBxX/4NmnxG5mOgX2ZqMBboQnPqDdCgyoWk/7NsZBwOm7wp
	uFGSph0CYzUbMNOx8mKt19GGIbMVN0gt2bniU4UrfQPx+DdjqJhkFHZWnc79d2+JmQKX
	qKGSPsUVUPUeXy+W9/ez/noYmEY9SsvSuN74iepDCn0SQzeDkm/+jx9QI34uAPw/jzfC
	gIrL/Xf/XsR1HQFrb+q9nkBePXsW0yqdJnlgNxGEQd0th3IgLGuOO5ZmSeycdVk4Sphm
	Qi+GO7JWxI4PgVZbfjfCZjdmQ77BCEEeRZeIlF9H/+JKzAHwsFBWCUCvcyAXP9Xyyvka
	joCg==
X-Gm-Message-State: AKwxytf0OQ3/8dfzw7grz7SFOd5a7cTcp4//BsOQLwxoznZfUBoLLdN8
	1caGcERtu9mGZ2vetAluqzdpdlSx
X-Google-Smtp-Source: ACJfBov99XPEDjj2Z2B3z2MpaGv79iulnFylsHUz70HS2TkszL9EhRAU+CrhYwayfYHteteQmBP8ag==
X-Received: by 10.55.142.66 with SMTP id q63mr13397564qkd.346.1515347680860;
	Sun, 07 Jan 2018 09:54:40 -0800 (PST)
Original-Received: from ahyatt-macbookpro6.roam.corp.google.com
	(pool-74-108-52-224.nycmny.fios.verizon.net. [74.108.52.224])
	by smtp.gmail.com with ESMTPSA id
	l76sm7222547qkl.30.2018.01.07.09.54.38
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Sun, 07 Jan 2018 09:54:39 -0800 (PST)
In-Reply-To: <jwva9d1fw9a.fsf-monnier+emacsbugs@gnu.org> (Stefan Monnier's
	message of "Fri, 07 Mar 2014 18:02:36 -0500")
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 208.118.235.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs/>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: "bug-gnu-emacs"
	<bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.bugs:141880
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/141880>


This is fairly easy to fix - mysql can check to see if the user entered
a blank for the password prompt, and instead of not sending a password,
send just the "--password" argument so the user can enter it into the
process instead of the command line.  I have a fix ready to check in
that works for mysql (I'm not sure which other products support that).

Alternatively, we can just have a variable that controls whether
passwords are asked for on the command line at all (if sql-password is
unset), which could default to nil, making the security better by
default.

BTW, I guess the attack here is that another user process can use
something like strace to snoop on emacs's child processeses and obtain
the mysql password?

Stefan Monnier <monnier@iro.umontreal.ca> writes:

>> Apparently, no they cannot, since mysql replaces the password characters
>> with x's:
>
> Of course, that still leaves the chars exposed during a short time window.
>
>
>         Stefan