Hide Forgot
Description of problem: If passwords are passed to IPA commands, they are visible in the "ps" output for all users/processes on the same host. For security reasons, the passwords in command line arguments should be overridden. For example, "mysql" does this. Version-Release number of selected component (if applicable): freeipa-server-4.4.0-0.fc24.x86_64 How reproducible: Always Steps to Reproduce: 1. Open two consoles: One as root, one as a user. 2. Run on the first console an ipa command that uses a password as argument. For example: # ipa-replica-install --principal admin --password admin_password 3. On the second console, run "ps axf" while the command on the first is running. Actual results: Normal users and processes on the same host are able to see the password in the process list: [user@server ~]$ ps axf ... 464 ? Ss 0:00 /usr/sbin/sshd 564 ? Ss 0:00 \_ sshd: root [priv] 927 ? S 0:00 | \_ sshd: root@pts/1 937 pts/1 Ss 0:00 | \_ -bash 1113 pts/1 R+ 0:00 | \_ /usr/bin/python2 -E /usr/sbin/ipa-replica-install --principal admin --password admin_password Expected results: IPA should override at least the password argument (better usernames, too). For example: [user@server ~]$ ps axf ... 1113 pts/1 R+ 0:00 | \_ /usr/bin/python2 -E /usr/sbin/ipa-replica-install --principal xxxxxxxx --password xxxxxxxx
To be safe, you should enter password interactively to terminal. This is not issue on replicas, just first master. mysql uses dark magic and I have doubts that this is possible for python (simple change for sys.argv[0]='something' does not work) http://unix.stackexchange.com/questions/88665/how-does-ps-know-to-hide-passwords I propose wont/cantfix. I would like to not hack python using C
For replicas I meant to use OTP password, it can be shown in ps output.
I still dont think this is good idea to hack python found this, I dont like it: https://github.com/dvarrazzo/py-setproctitle however package is in Fedora and RHEL python-setproctitle
Upstream ticket: https://fedorahosted.org/freeipa/ticket/6314
Even if the process changes argv to obfuscate the password strings, there will still be small time interval when the values are visible. Isn't it better to focus on methods when the passwords are not passed as command line parameters, than create false sense of security?
I'm with Jan here. Something like https://fedorahosted.org/freeipa/ticket/4517 should be the fix.
For upcoming months or more the FreeIPA/IdM team is focusing on stability, testability of FreeIPA/IdM and thus postponing any RFEs or non-critical bugs.
This will be fixed by using the filehanlders or env vars as proposed in bug 1211603 *** This bug has been marked as a duplicate of bug 1211603 ***