Bug 576534 - Password displayed on console when entered in command-line utilities
Summary: Password displayed on console when entered in command-line utilities
Status: CLOSED CURRENTRELEASE
Alias: None
Product: 389
Classification: Retired
Component: Command Line Utilities
Version: 1.2.6
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Rich Megginson
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 639035 389_1.2.8
TreeView+ depends on / blocked
 
Reported: 2010-03-24 11:48 UTC by Andrey Ivanov
Modified: 2015-12-07 17:12 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-12-07 17:12:58 UTC


Attachments (Terms of Use)
0001-Bug-576534-Password-displayed-on-console-when-entere.patch (869.18 KB, patch)
2011-01-24 20:49 UTC, Rich Megginson
nhosoi: review+
Details | Diff

Description Andrey Ivanov 2010-03-24 11:48:49 UTC
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2

Perl command-line utilities (like db2index.pl) show the password on console when used with "-w -".

Reproducible: Always

Steps to Reproduce:
1.Launch :
/usr/lib64/dirsrv/slapd-krb5test/db2index.pl -w -

2. Enter the password :
[root@ldap-test ~]# /usr/lib64/dirsrv/slapd-test/db2index.pl -w -
Bind Password: mypass

Actual Results:  
The password entered by user is shown on the screen.

Expected Results:  
The password should be hidden.

The bug is in system("stty -echo") and system("stty echo") usage. It should work fine.
However i have found that the export 
$ENV{'PATH'} = "$prefix/usr/lib64/mozldap:$prefix/usr/bin:/usr/lib64/mozldap:/usr/bin";

changes the behavior of system("stty -echo"). Not sure exactly why it happens.

The most simple solution is to replace stty by it's complete path:
# Read the password from terminal
        print "Bind Password: ";
        # Disable console echo
        system("/bin/stty", "-echo");
        # read the answer
        $passwd = <STDIN>;
        # Enable console echo
        system("/bin/stty", "echo");
        print "\n";
        chop($passwd); # trim trailing newline
This way it works as expected and the password is hidden even with $ENV{'PATH'} exported.

It applies to at least all the utility templates in /usr/share/dirsrv/script-templates/ :

[root@ldap-est ~]# grep -iR stty /usr/share/dirsrv/script-templates/|cut -d\: -f 1|sort|uniq
/usr/share/dirsrv/script-templates/template-bak2db.pl
/usr/share/dirsrv/script-templates/template-db2bak.pl
/usr/share/dirsrv/script-templates/template-db2index.pl
/usr/share/dirsrv/script-templates/template-db2ldif.pl
/usr/share/dirsrv/script-templates/template-fixup-linkedattrs.pl
/usr/share/dirsrv/script-templates/template-fixup-memberof.pl
/usr/share/dirsrv/script-templates/template-ldif2db.pl
/usr/share/dirsrv/script-templates/template-ns-accountstatus.pl
/usr/share/dirsrv/script-templates/template-ns-activate.pl
/usr/share/dirsrv/script-templates/template-ns-inactivate.pl
/usr/share/dirsrv/script-templates/template-schema-reload.pl
/usr/share/dirsrv/script-templates/template-syntax-validate.pl
/usr/share/dirsrv/script-templates/template-usn-tombstone-cleanup.pl

Comment 1 Andrey Ivanov 2010-03-24 18:24:49 UTC
The full path i have given ("/bin/stty") applies to RHEL/CentOS 5.x. For other distributions and Solaris/HPUX it may be quite different...

Comment 2 Rich Megginson 2010-03-25 01:47:54 UTC
Do you have a /usr/bin/stty on your system?  Is stty a shell built-in for your shell?  I think we should use /bin/stty - should work in a posix-y environment.

Comment 3 Andrey Ivanov 2010-03-25 08:23:07 UTC
No, i have a standard redhat installation :

[root@ldap-test ~]# locate stty
/bin/stty
/usr/share/doc/bash-3.2/functions/fstty
/usr/share/doc/bash-3.2/scripts.noah/stty.bash
/usr/share/man/man1/stty.1.gz
/usr/share/man/man1p/stty.1p.gz
/usr/share/man/man2/stty.2.gz
/usr/share/terminfo/e/elks-glasstty
/usr/share/terminfo/g/glasstty


So stty is only in /bin/stty. AFAIK stty is not a built-in bash command, that's why i told that i was not sure why it happened.

Comment 4 Rich Megginson 2010-03-25 14:32:01 UTC
Solaris uses /bin/stty - I think it's safe to just use /bin/stty.

Comment 6 Rich Megginson 2011-01-24 20:49:40 UTC
Created attachment 475042 [details]
0001-Bug-576534-Password-displayed-on-console-when-entere.patch

Comment 7 Rich Megginson 2011-01-24 22:42:57 UTC
To ssh://git.fedorahosted.org/git/389/ds.git
   c9839b3..a7fe1a3  master -> master
commit a7fe1a31f0dc5ab2182503c031cac9714c89db2d
Author: Rich Megginson <rmeggins@redhat.com>
Date:   Mon Jan 24 12:53:21 2011 -0700
    Reviewed by: nhosoi (Thanks!)
    Branch: master
    Fix Description: Add a new configurable path - sttyexec - to configure.ac.
    This is the absolute path and filename of the stty command to use with
    the -echo and echo options to disable and enable tty echo for password
    entry with perl scripts.  By default it is set to /bin/stty but it can be
    overridden on a per-platform basis in configure.ac.  I had to move
    DialogManager.pm to DialogManager.pm.in in order to replace the stty
    command used there (which actually worked with just stty - not sure
    why that worked but other perl scripts did not).
    Platforms tested: RHEL6 x86_64
    Flag Day: yes - file renamed - autoconf file changes
    Doc impact: no

Comment 8 Amita Sharma 2011-06-16 13:13:56 UTC
[root@rhel61 slapd-rhel61]# /usr/lib64/dirsrv/slapd-rhel61/db2index.pl -w -
Bind Password: 

Not showing pwd while typing..


Note You need to log in before you can comment on or make changes to this bug.