Command line API: How to not expose passwords?

Submitted by bengtan on Tue, 11/10/2009 - 20:31

Hi,

Following up on https://www.virtualmin.com/node/12264 ...

<Original Post>

Command line API: How to not expose passwords

I'm scripting Virtualmin GPL using the command line API and ran into a security related issue.

In order to use commands such as create-domain, modify-domain etc., I have to supply passwords on the command line ie. virtualmin --pass password.

But ...

Such passwords are transiently available if some other normal shell user happens to run 'ps -ef' at the same time.

So, any thoughts on how I can work around this?

Is there an equivalent of mysql's -p parameter which accepts passwords via stdin?

<End Original Post>

Any thoughts on this?

I'd suggest modifying the command line API to accept passwords via stdin, but you may have a different idea.

Status: 
Closed (fixed)

Comments

Submitted by JamieCameron on Wed, 11/11/2009 - 00:29

Good suggestion .. in the Virtualmin 3.76 release, I will add a --passfile flag to the domain and mailbox creation and modification API commands. This will take a filename to read the password from as a parameter.

Submitted by bengtan on Wed, 11/11/2009 - 00:41

Hmmm... having to create random temporary files (and then delete them afterwards) is perhaps more trouble than necessary.

Would it be possible to accept this information via stdin?

Or else, ensure the --passfile flag also accepts '-' to mean stdin?

ie. something like:

virtualmin create-domain --passfile - --domain blah.blah.com ...

Submitted by JamieCameron on Wed, 11/11/2009 - 01:02

You could use /dev/stdin as the filename, which is the same as reading from stdin ..

Submitted by bengtan on Wed, 11/11/2009 - 01:07

Ah, okay. That will be satisfactory then.

Thank you very much.

Submitted by Issues on Thu, 11/26/2009 - 17:20

Automatically closed -- issue fixed for 2 weeks with no activity.

Submitted by bengtan on Thu, 01/07/2010 - 00:13

Hi,

Just wanted to report that --passfile works satisfactorily for the commands create-domain and modify-domain in Virtualmin GPL 3.76. Thank you very much.