[PATCH 1/2] s3fs-popt: Add function to burn the commandline password.

Andrew Bartlett abartlet at samba.org
Mon Nov 5 13:00:30 MST 2012 

On Mon, 2012-11-05 at 09:02 -0800, Jeremy Allison wrote:
> On Mon, Nov 05, 2012 at 08:02:47AM +0100, Michael Adam wrote:
> > Hi Andreas,
> > 
> > I agree with Andrew: the patch certainly does not harm, but
> > it might create a false sense of safety for specifying passwords
> > on the command line. We should not recommend that for production use.
> > So I am not quite certain what the patch is supposed to achieve.
> > Could you explain?
> 
> Just to chip in, as I'm reviewing this - this is not a security
> patch, it's a modification to move to better practices around
> password exposure. It's simply better practice to avoid showing
> a password in the process command line if you can avoid it.
> 
> Sure it's still available as the process is starting up, so
> it's not a fixable race, it's just .. tidier (IMHO :-).
> 
> Comparing it to the user name on the command line isn't really
> the same issue, user names are nowhere near as sensitive as
> passwords. Just because we can't make something completely
> secure doesn't mean we shouldn't try and make it a little
> better.

Jeremy,

You miss my point.  -U is covered, but the same behaviour
(--user=abartlet%password) isn't. 

> So I'm planning to push it unless there are really serious
> objections - I don't think this is a start of trying to
> remove all races in this area - I'm guessing it's a
> policy thing (try and reduce exposure of passwords
> as much as possible).
> 
> I'll wait until I get back on Wed before pushing to give
> people time if they really want to object but this doesn't
> seem a big deal to me.

So, my point is that once we start on this, we create a rod for our own
back.  

That is, we will create an expectation that we do this consistently for
all utilities, and have 'security' bugs filed against us until it's done
everywhere.  If we must do this, then I would like to see patches to
cover everything (all existing binaries as well as python commands).
I'm asking this not because I want to block incremental progress, but
because I fear we will quickly get demands to be consistent, and I would
like to see evidence that we can be. 

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list