[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps
From: |
Jari Aalto |
Subject: |
bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing |
Date: |
Tue, 05 Apr 2011 14:27:03 +0300 |
Package: emacs
Version: 23.2+1-7
Severity: serious
Tags: security
There is a big security problem with sql.el:
M-x sql-mysql
<Fill in the connection details: user, password ...>
At command line, anyone in multi-user environment can dig out the
passwords:
$ ps -ef -o user,pid,args | grep mysql # ps(1) under SUN/Solaris
foo 9599 /usr/local/bin/mysql --user=foo --password=123456
--host=db.example.com
bar 3732 /usr/local/bin/mysql --user=bar --password=abcdef
--host=db.example.com
Jari
P.S mysql(1) mentions that you can set database options in ~/.my.cnf file.
MySQL case, there is in manual page:
-- System Information
Debian Release: wheezy/sid
APT Prefers testing
APT policy: (990, testing) (500, unstable) (1, experimental)
Architecture: amd64
Kernel: Linux picasso 2.6.32-5-amd64 #1 SMP Wed Jan 12 03:40:32 UTC 2011 x86_64
GNU/Linux
Locale: LANG=en_US.UTF-8, LC_ALL=
-- Versions of packages `emacs depends on'.
Depends:
emacs23 23.2+1-7 GNU Emacs is the extensible self-documenting
emacs23-lucid 23.2+1-7 GNU Emacs is the extensible self-documenting
emacs23-nox 23.2+1-7 GNU Emacs is the extensible self-documenting
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing,
Jari Aalto <=