576534 – Password displayed on console when entered in command-line utilities

Bug 576534 - Password displayed on console when entered in command-line utilities

Summary: Password displayed on console when entered in command-line utilities

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	389
Classification:	Retired
Component:	Command Line Utilities
Sub Component:
Version:	1.2.6
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Rich Megginson
QA Contact:	Viktor Ashirov
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	639035 389_1.2.8
TreeView+	depends on / blocked

Reported:	2010-03-24 11:48 UTC by Andrey Ivanov
Modified:	2015-12-07 17:12 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-12-07 17:12:58 UTC
Embargoed:

Attachments	(Terms of Use)
0001-Bug-576534-Password-displayed-on-console-when-entere.patch (869.18 KB, patch) 2011-01-24 20:49 UTC, Rich Megginson	nhosoi: review+	Details \| Diff
View All

Description Andrey Ivanov 2010-03-24 11:48:49 UTC

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2

Perl command-line utilities (like db2index.pl) show the password on console when used with "-w -".

Reproducible: Always

Steps to Reproduce:
1.Launch :
/usr/lib64/dirsrv/slapd-krb5test/db2index.pl -w -

2. Enter the password :
[root@ldap-test ~]# /usr/lib64/dirsrv/slapd-test/db2index.pl -w -
Bind Password: mypass

Actual Results:  
The password entered by user is shown on the screen.

Expected Results:  
The password should be hidden.

The bug is in system("stty -echo") and system("stty echo") usage. It should work fine.
However i have found that the export 
$ENV{'PATH'} = "$prefix/usr/lib64/mozldap:$prefix/usr/bin:/usr/lib64/mozldap:/usr/bin";

changes the behavior of system("stty -echo"). Not sure exactly why it happens.

The most simple solution is to replace stty by it's complete path:
# Read the password from terminal
        print "Bind Password: ";
        # Disable console echo
        system("/bin/stty", "-echo");
        # read the answer
        $passwd = <STDIN>;
        # Enable console echo
        system("/bin/stty", "echo");
        print "\n";
        chop($passwd); # trim trailing newline
This way it works as expected and the password is hidden even with $ENV{'PATH'} exported.

It applies to at least all the utility templates in /usr/share/dirsrv/script-templates/ :

[root@ldap-est ~]# grep -iR stty /usr/share/dirsrv/script-templates/|cut -d\: -f 1|sort|uniq
/usr/share/dirsrv/script-templates/template-bak2db.pl
/usr/share/dirsrv/script-templates/template-db2bak.pl
/usr/share/dirsrv/script-templates/template-db2index.pl
/usr/share/dirsrv/script-templates/template-db2ldif.pl
/usr/share/dirsrv/script-templates/template-fixup-linkedattrs.pl
/usr/share/dirsrv/script-templates/template-fixup-memberof.pl
/usr/share/dirsrv/script-templates/template-ldif2db.pl
/usr/share/dirsrv/script-templates/template-ns-accountstatus.pl
/usr/share/dirsrv/script-templates/template-ns-activate.pl
/usr/share/dirsrv/script-templates/template-ns-inactivate.pl
/usr/share/dirsrv/script-templates/template-schema-reload.pl
/usr/share/dirsrv/script-templates/template-syntax-validate.pl
/usr/share/dirsrv/script-templates/template-usn-tombstone-cleanup.pl

Comment 1 Andrey Ivanov 2010-03-24 18:24:49 UTC

The full path i have given ("/bin/stty") applies to RHEL/CentOS 5.x. For other distributions and Solaris/HPUX it may be quite different...

Comment 2 Rich Megginson 2010-03-25 01:47:54 UTC

Do you have a /usr/bin/stty on your system?  Is stty a shell built-in for your shell?  I think we should use /bin/stty - should work in a posix-y environment.

Comment 3 Andrey Ivanov 2010-03-25 08:23:07 UTC

No, i have a standard redhat installation :

[root@ldap-test ~]# locate stty
/bin/stty
/usr/share/doc/bash-3.2/functions/fstty
/usr/share/doc/bash-3.2/scripts.noah/stty.bash
/usr/share/man/man1/stty.1.gz
/usr/share/man/man1p/stty.1p.gz
/usr/share/man/man2/stty.2.gz
/usr/share/terminfo/e/elks-glasstty
/usr/share/terminfo/g/glasstty


So stty is only in /bin/stty. AFAIK stty is not a built-in bash command, that's why i told that i was not sure why it happened.

Comment 4 Rich Megginson 2010-03-25 14:32:01 UTC

Solaris uses /bin/stty - I think it's safe to just use /bin/stty.

Comment 6 Rich Megginson 2011-01-24 20:49:40 UTC

Created attachment 475042 [details]
0001-Bug-576534-Password-displayed-on-console-when-entere.patch

Comment 7 Rich Megginson 2011-01-24 22:42:57 UTC

To ssh://git.fedorahosted.org/git/389/ds.git
   c9839b3..a7fe1a3  master -> master
commit a7fe1a31f0dc5ab2182503c031cac9714c89db2d
Author: Rich Megginson <rmeggins>
Date:   Mon Jan 24 12:53:21 2011 -0700
    Reviewed by: nhosoi (Thanks!)
    Branch: master
    Fix Description: Add a new configurable path - sttyexec - to configure.ac.
    This is the absolute path and filename of the stty command to use with
    the -echo and echo options to disable and enable tty echo for password
    entry with perl scripts.  By default it is set to /bin/stty but it can be
    overridden on a per-platform basis in configure.ac.  I had to move
    DialogManager.pm to DialogManager.pm.in in order to replace the stty
    command used there (which actually worked with just stty - not sure
    why that worked but other perl scripts did not).
    Platforms tested: RHEL6 x86_64
    Flag Day: yes - file renamed - autoconf file changes
    Doc impact: no

Comment 8 Amita Sharma 2011-06-16 13:13:56 UTC

[root@rhel61 slapd-rhel61]# /usr/lib64/dirsrv/slapd-rhel61/db2index.pl -w -
Bind Password: 

Not showing pwd while typing..

Note You need to log in before you can comment on or make changes to this bug.