[PATCH 1/2] s3fs-popt: Add function to burn the commandline password.

[simo]

On Mon, 2012-11-05 at 09:02 -0800, Jeremy Allison wrote:
> On Mon, Nov 05, 2012 at 08:02:47AM +0100, Michael Adam wrote:
> > Hi Andreas,
> > 
> > I agree with Andrew: the patch certainly does not harm, but
> > it might create a false sense of safety for specifying passwords
> > on the command line. We should not recommend that for production use.
> > So I am not quite certain what the patch is supposed to achieve.
> > Could you explain?
> 
> Just to chip in, as I'm reviewing this - this is not a security
> patch, it's a modification to move to better practices around
> password exposure. It's simply better practice to avoid showing
> a password in the process command line if you can avoid it.
> 
> Sure it's still available as the process is starting up, so
> it's not a fixable race, it's just .. tidier (IMHO :-).
> 
> Comparing it to the user name on the command line isn't really
> the same issue, user names are nowhere near as sensitive as
> passwords. Just because we can't make something completely
> secure doesn't mean we shouldn't try and make it a little
> better.
> 
> So I'm planning to push it unless there are really serious
> objections - I don't think this is a start of trying to
> remove all races in this area - I'm guessing it's a
> policy thing (try and reduce exposure of passwords
> as much as possible).
> 
> I'll wait until I get back on Wed before pushing to give
> people time if they really want to object but this doesn't
> seem a big deal to me.

this is really more about avoding accidental exposure if we can than
anything else. It is not meant to make it secure to put passwords on the
command line, that's never secure and never will (and the password ends
up in your shell history too ...)

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>