Bug 1371087

Summary: Override passwords in command line arguments
Product: Red Hat Enterprise Linux 7 Reporter: Marc Muehlfeld <mmuehlfe>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED DUPLICATE QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: akasurde, jpazdziora, pasik, pvoborni, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-11 14:20:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Marc Muehlfeld 2016-08-29 09:59:01 UTC 
Description of problem:
If passwords are passed to IPA commands, they are visible in the "ps" output for all users/processes on the same host. For security reasons, the passwords in command line arguments should be overridden. For example, "mysql" does this.



Version-Release number of selected component (if applicable):
freeipa-server-4.4.0-0.fc24.x86_64



How reproducible:
Always



Steps to Reproduce:
1. Open two consoles: One as root, one as a user.
2. Run on the first console an ipa command that uses a password as argument. For example:
   # ipa-replica-install --principal admin --password admin_password
3. On the second console, run "ps axf" while the command on the first is running.



Actual results:
Normal users and processes on the same host are able to see the password in the process list:
[user@server ~]$ ps axf
...
  464 ?        Ss     0:00 /usr/sbin/sshd
  564 ?        Ss     0:00  \_ sshd: root [priv]
  927 ?        S      0:00  |   \_ sshd: root@pts/1
  937 pts/1    Ss     0:00  |       \_ -bash
 1113 pts/1    R+     0:00  |           \_ /usr/bin/python2 -E /usr/sbin/ipa-replica-install --principal admin --password admin_password



Expected results:
IPA should override at least the password argument (better usernames, too). For example:
[user@server ~]$ ps axf
...
 1113 pts/1    R+     0:00  |           \_ /usr/bin/python2 -E /usr/sbin/ipa-replica-install --principal xxxxxxxx --password xxxxxxxx
Comment 2 Martin Bašti 2016-08-30 17:16:36 UTC 
To be safe, you should enter password interactively to terminal. This is not issue on replicas, just first master.
 
mysql uses dark magic and I have doubts that this is possible for python (simple change for sys.argv[0]='something' does not work)
http://unix.stackexchange.com/questions/88665/how-does-ps-know-to-hide-passwords

I propose wont/cantfix. I would like to not hack python using C
Comment 3 Martin Bašti 2016-08-30 17:17:50 UTC 
For replicas I meant to use OTP password, it can be shown in ps output.
Comment 4 Martin Bašti 2016-09-06 13:21:39 UTC 
I still dont think this is good idea to hack python
found this, I dont like it: https://github.com/dvarrazzo/py-setproctitle

however package is in Fedora and RHEL python-setproctitle
Comment 6 Petr Vobornik 2016-09-09 13:31:53 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6314
Comment 7 Jan Pazdziora 2016-09-09 13:45:20 UTC 
Even if the process changes argv to obfuscate the password strings, there will still be small time interval when the values are visible. Isn't it better to focus on methods when the passwords are not passed as command line parameters, than create false sense of security?
Comment 8 Petr Vobornik 2016-09-09 15:05:51 UTC 
I'm with Jan here. Something like https://fedorahosted.org/freeipa/ticket/4517 should be the fix.
Comment 10 Petr Vobornik 2017-10-16 11:49:30 UTC 
For upcoming months or more the FreeIPA/IdM team is focusing on stability, testability of FreeIPA/IdM and thus postponing any RFEs or non-critical bugs.
Comment 11 Petr Vobornik 2018-05-11 14:20:00 UTC 
This will be fixed by using the filehanlders or env vars as proposed in bug 1211603

*** This bug has been marked as a duplicate of bug 1211603 ***