Bug#831296: Please allow reading password from elsewhere

Daniel Kahn Gillmor dkg at debian.org
Fri Jul 15 12:47:14 UTC 2016


Hi madduck--

On Thu 2016-07-14 14:23:26 +0200, martin f krafft wrote:
> I don't want the password to show up in argv… sure,
>
>   --password $(cat =(echo 's3cr3t'))
>
> works, but it'd be nice if there was another way, including
> prompting, or a session config file.

this actually does show up in argv, because bash replaces the output of
cat on the cmdline before exec'ing the command.

what you'd really like is to be able to read the password from a file or
a file descriptor.

If it's from a file, then in bash you can do:

 --password-file <(echo s3cr3t)

(because echo is a bash builtin, and bash will replace <() with
/dev/fd/63 (or whatever file descriptor it chooses).  if a shell exists
that does support <() but doesn't have an echo builtin, then this will
be a problem because the subshell will leak s3cr3t in the argv it passes
to an external echo)

with a weaker shell you could set up an in-filesystem fifo and pass the
password that way i guess.

         --dkg



More information about the Pkg-haskell-maintainers mailing list