Bug 576534

Summary: Password displayed on console when entered in command-line utilities
Product: [Retired] 389 Reporter: Andrey Ivanov <andrey.ivanov>
Component: Command Line UtilitiesAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.2.6CC: amsharma, jgalipea, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-07 17:12:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 639035, 656390    
Attachments:
Description Flags
0001-Bug-576534-Password-displayed-on-console-when-entere.patch nhosoi: review+

Description Andrey Ivanov 2010-03-24 11:48:49 UTC 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2

Perl command-line utilities (like db2index.pl) show the password on console when used with "-w -".

Reproducible: Always

Steps to Reproduce:
1.Launch :
/usr/lib64/dirsrv/slapd-krb5test/db2index.pl -w -

2. Enter the password :
[root@ldap-test ~]# /usr/lib64/dirsrv/slapd-test/db2index.pl -w -
Bind Password: mypass

Actual Results:  
The password entered by user is shown on the screen.

Expected Results:  
The password should be hidden.

The bug is in system("stty -echo") and system("stty echo") usage. It should work fine.
However i have found that the export 
$ENV{'PATH'} = "$prefix/usr/lib64/mozldap:$prefix/usr/bin:/usr/lib64/mozldap:/usr/bin";

changes the behavior of system("stty -echo"). Not sure exactly why it happens.

The most simple solution is to replace stty by it's complete path:
# Read the password from terminal
        print "Bind Password: ";
        # Disable console echo
        system("/bin/stty", "-echo");
        # read the answer
        $passwd = <STDIN>;
        # Enable console echo
        system("/bin/stty", "echo");
        print "\n";
        chop($passwd); # trim trailing newline
This way it works as expected and the password is hidden even with $ENV{'PATH'} exported.

It applies to at least all the utility templates in /usr/share/dirsrv/script-templates/ :

[root@ldap-est ~]# grep -iR stty /usr/share/dirsrv/script-templates/|cut -d\: -f 1|sort|uniq
/usr/share/dirsrv/script-templates/template-bak2db.pl
/usr/share/dirsrv/script-templates/template-db2bak.pl
/usr/share/dirsrv/script-templates/template-db2index.pl
/usr/share/dirsrv/script-templates/template-db2ldif.pl
/usr/share/dirsrv/script-templates/template-fixup-linkedattrs.pl
/usr/share/dirsrv/script-templates/template-fixup-memberof.pl
/usr/share/dirsrv/script-templates/template-ldif2db.pl
/usr/share/dirsrv/script-templates/template-ns-accountstatus.pl
/usr/share/dirsrv/script-templates/template-ns-activate.pl
/usr/share/dirsrv/script-templates/template-ns-inactivate.pl
/usr/share/dirsrv/script-templates/template-schema-reload.pl
/usr/share/dirsrv/script-templates/template-syntax-validate.pl
/usr/share/dirsrv/script-templates/template-usn-tombstone-cleanup.pl
Comment 1 Andrey Ivanov 2010-03-24 18:24:49 UTC 
The full path i have given ("/bin/stty") applies to RHEL/CentOS 5.x. For other distributions and Solaris/HPUX it may be quite different...
Comment 2 Rich Megginson 2010-03-25 01:47:54 UTC 
Do you have a /usr/bin/stty on your system?  Is stty a shell built-in for your shell?  I think we should use /bin/stty - should work in a posix-y environment.
Comment 3 Andrey Ivanov 2010-03-25 08:23:07 UTC 
No, i have a standard redhat installation :

[root@ldap-test ~]# locate stty
/bin/stty
/usr/share/doc/bash-3.2/functions/fstty
/usr/share/doc/bash-3.2/scripts.noah/stty.bash
/usr/share/man/man1/stty.1.gz
/usr/share/man/man1p/stty.1p.gz
/usr/share/man/man2/stty.2.gz
/usr/share/terminfo/e/elks-glasstty
/usr/share/terminfo/g/glasstty


So stty is only in /bin/stty. AFAIK stty is not a built-in bash command, that's why i told that i was not sure why it happened.
Comment 4 Rich Megginson 2010-03-25 14:32:01 UTC 
Solaris uses /bin/stty - I think it's safe to just use /bin/stty.
Comment 6 Rich Megginson 2011-01-24 20:49:40 UTC 
Created attachment 475042 [details]
0001-Bug-576534-Password-displayed-on-console-when-entere.patch
Comment 7 Rich Megginson 2011-01-24 22:42:57 UTC 
To ssh://git.fedorahosted.org/git/389/ds.git
   c9839b3..a7fe1a3  master -> master
commit a7fe1a31f0dc5ab2182503c031cac9714c89db2d
Author: Rich Megginson <rmeggins>
Date:   Mon Jan 24 12:53:21 2011 -0700
    Reviewed by: nhosoi (Thanks!)
    Branch: master
    Fix Description: Add a new configurable path - sttyexec - to configure.ac.
    This is the absolute path and filename of the stty command to use with
    the -echo and echo options to disable and enable tty echo for password
    entry with perl scripts.  By default it is set to /bin/stty but it can be
    overridden on a per-platform basis in configure.ac.  I had to move
    DialogManager.pm to DialogManager.pm.in in order to replace the stty
    command used there (which actually worked with just stty - not sure
    why that worked but other perl scripts did not).
    Platforms tested: RHEL6 x86_64
    Flag Day: yes - file renamed - autoconf file changes
    Doc impact: no
Comment 8 Amita Sharma 2011-06-16 13:13:56 UTC 
[root@rhel61 slapd-rhel61]# /usr/lib64/dirsrv/slapd-rhel61/db2index.pl -w -
Bind Password: 

Not showing pwd while typing..