| Title | Perforce user password is disclosed on command line |
| Status | closed |
| Priority | essential |
| Assigned user | David Jones |
| Organization | Ravenbrook |
| Description | When the P4DTI issues Perforce commands, it does so by issuing a system command including all relevant options on the command line, including the password with -P. The command line can be obtained with various system tools such as 'ps', so other users on the system can readily obtain the P4DTI Perforce user's password. |
| Analysis | Reported by a customer [1]. We could use the environment variable P4PASSWD, but this is still available to other users (via ps -e). Or we could create a p4config file and use P4CONFIG, which then makes this a question of file permissions, over which we have more control. Soltution: Place in file. Controlled with p4_create_config_file in config.py drj 2003-08-21 NB 2003-09-27: Problem with this solution: os.chmod doesn't work properly on Win32. We need code to manipulate Win32 SECURITY_DESCRIPTORs. This is not easy. Added code to portable.py. |
| How found | customer |
| Evidence | [1] <http://info.ravenbrook.com/mail/2003/05/19/20-59-59/0.txt> |
| Observed in | 1.5.3 |
| Created by | Nick Barnes |
| Created on | 2003-05-20 14:31:39 |
| Last modified by | Gareth Rees |
| Last modified on | 2010-10-07 12:07:12 |
| History | 2003-05-20 NB Created. 2003-08-12 NB Analysis. 2003-08-21 DRJ Closed. 2003-09-27 NB Reopened, analysis extended, reclosed. |
| Change | Effect | Date | User | Description |
|---|---|---|---|---|
| 57337 | closed | 2003-09-17 12:44:34 | Nick Barnes | os.chmod doesn't work on Windows, so write a new routine to achieve it and put it in a new module portable.py. |
| 53699 | closed | 2003-08-21 17:20:22 | David Jones | p4dti: hiding perforce password in file |