bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps

From:	Jari Aalto
Subject:	bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing
Date:	Tue, 05 Apr 2011 14:27:03 +0300

Package: emacs
Version: 23.2+1-7
Severity: serious
Tags: security

There is a big security problem with sql.el:

    M-x sql-mysql
    <Fill in the connection details: user, password ...>

At command line, anyone in multi-user environment can dig out the
passwords:

   $ ps -ef -o user,pid,args | grep mysql       # ps(1) under SUN/Solaris
   foo  9599 /usr/local/bin/mysql --user=foo --password=123456 
--host=db.example.com
   bar  3732 /usr/local/bin/mysql --user=bar --password=abcdef 
--host=db.example.com

Jari

P.S mysql(1) mentions that you can set database options in ~/.my.cnf file.

MySQL case, there is in manual page:

-- System Information
Debian Release: wheezy/sid
  APT Prefers testing
  APT policy: (990, testing) (500, unstable) (1, experimental)
Architecture: amd64
Kernel: Linux picasso 2.6.32-5-amd64 #1 SMP Wed Jan 12 03:40:32 UTC 2011 x86_64 
GNU/Linux
Locale: LANG=en_US.UTF-8, LC_ALL=

-- Versions of packages `emacs depends on'.
Depends:
emacs23         23.2+1-7        GNU Emacs is the extensible self-documenting
emacs23-lucid   23.2+1-7        GNU Emacs is the extensible self-documenting
emacs23-nox     23.2+1-7        GNU Emacs is the extensible self-documenting

[Prev in Thread]

Current Thread

[Next in Thread]

bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing, Jari Aalto <=

Prev by Date: bug#8415: 23.3.50; Extensible Emacs Registers
Next by Date: bug#8415: 23.3.50; Extensible Emacs Registers
Previous by thread: bug#8384: 24.0.50; Yanking and text properties
Next by thread: bug#8426: Glyph and cursor problem with emacs
Index(es):
- Date
- Thread