[PATCH 1/2] s3fs-popt: Add function to burn the commandline password.

Andreas Schneider asn at samba.org
Mon Nov 5 13:17:50 MST 2012 

On Tuesday 06 November 2012 07:00:30 Andrew Bartlett wrote:
> On Mon, 2012-11-05 at 09:02 -0800, Jeremy Allison wrote:
> > On Mon, Nov 05, 2012 at 08:02:47AM +0100, Michael Adam wrote:
> > > Hi Andreas,
> > > 
> > > I agree with Andrew: the patch certainly does not harm, but
> > > it might create a false sense of safety for specifying passwords
> > > on the command line. We should not recommend that for production use.
> > > So I am not quite certain what the patch is supposed to achieve.
> > > Could you explain?
> > 
> > Just to chip in, as I'm reviewing this - this is not a security
> > patch, it's a modification to move to better practices around
> > password exposure. It's simply better practice to avoid showing
> > a password in the process command line if you can avoid it.
> > 
> > Sure it's still available as the process is starting up, so
> > it's not a fixable race, it's just .. tidier (IMHO :-).
> > 
> > Comparing it to the user name on the command line isn't really
> > the same issue, user names are nowhere near as sensitive as
> > passwords. Just because we can't make something completely
> > secure doesn't mean we shouldn't try and make it a little
> > better.
> 
> Jeremy,
> 
> You miss my point.  -U is covered, but the same behaviour
> (--user=abartlet%password) isn't.

There are updated patches already in this thread.

> > So I'm planning to push it unless there are really serious
> > objections - I don't think this is a start of trying to
> > remove all races in this area - I'm guessing it's a
> > policy thing (try and reduce exposure of passwords
> > as much as possible).
> > 
> > I'll wait until I get back on Wed before pushing to give
> > people time if they really want to object but this doesn't
> > seem a big deal to me.
> 
> So, my point is that once we start on this, we create a rod for our own
> back.
> 
> That is, we will create an expectation that we do this consistently for
> all utilities, and have 'security' bugs filed against us until it's done
> everywhere.

The question is, why is there popt-common in source3 and source4 and couldn't 
we just have one general popt samba system? I spend some time on this the next 
weeks if they could be merged.

The biggest problem here is cause smbclient and rpcclient are interactive. 
They are running for quite some time.



	-- andreas

-- 
Andreas Schneider                   GPG-ID: F33E3FC6
Samba Team                             asn at samba.org
www.samba.org

More information about the samba-technical mailing list