[PATCH 1/2] s3fs-popt: Add function to burn the commandline password.
Jelmer Vernooij
jelmer at samba.org
Mon Nov 5 13:11:37 MST 2012
On Mon, 2012-11-05 at 09:16 -0800, Jeremy Allison wrote:
> On Mon, Nov 05, 2012 at 12:08:34PM -0500, simo wrote:
> > On Mon, 2012-11-05 at 09:02 -0800, Jeremy Allison wrote:
> > > On Mon, Nov 05, 2012 at 08:02:47AM +0100, Michael Adam wrote:
> > > > Hi Andreas,
> > > >
> > > > I agree with Andrew: the patch certainly does not harm, but
> > > > it might create a false sense of safety for specifying passwords
> > > > on the command line. We should not recommend that for production use.
> > > > So I am not quite certain what the patch is supposed to achieve.
> > > > Could you explain?
> > >
> > > Just to chip in, as I'm reviewing this - this is not a security
> > > patch, it's a modification to move to better practices around
> > > password exposure. It's simply better practice to avoid showing
> > > a password in the process command line if you can avoid it.
> > >
> > > Sure it's still available as the process is starting up, so
> > > it's not a fixable race, it's just .. tidier (IMHO :-).
> > >
> > > Comparing it to the user name on the command line isn't really
> > > the same issue, user names are nowhere near as sensitive as
> > > passwords. Just because we can't make something completely
> > > secure doesn't mean we shouldn't try and make it a little
> > > better.
> > >
> > > So I'm planning to push it unless there are really serious
> > > objections - I don't think this is a start of trying to
> > > remove all races in this area - I'm guessing it's a
> > > policy thing (try and reduce exposure of passwords
> > > as much as possible).
> > >
> > > I'll wait until I get back on Wed before pushing to give
> > > people time if they really want to object but this doesn't
> > > seem a big deal to me.
> >
> > this is really more about avoding accidental exposure if we can than
> > anything else. It is not meant to make it secure to put passwords on the
> > command line, that's never secure and never will (and the password ends
> > up in your shell history too ...)
>
> Yep, that's pretty much what I thought.
>
> My criteria for these things (when they're tidy-ups, not security
> fixes) is "will our code be better with this patch in it ?" and the
> answer to me clearly is yes.
That makes sense.
It would be nice to mention these considerations (and the importance of
calling this function ASAP) in the popt_burn_cmdline_password function
documentation.
Cheers,
Jelmer
More information about the samba-technical
mailing list