P4DTI issue job000700

TitlePerforce user password is disclosed on command line
Assigned userDavid Jones
DescriptionWhen the P4DTI issues Perforce commands, it does so by issuing a system command including all relevant options on the command line, including the password with -P. The command line can be obtained with various system tools such as 'ps', so other users on the system can readily obtain the P4DTI Perforce user's password.
AnalysisReported by a customer [1].
We could use the environment variable P4PASSWD, but this is still available to other users (via ps -e). Or we could create a p4config file and use P4CONFIG, which then makes this a question of file permissions, over which we have more control.

Soltution: Place in file. Controlled with p4_create_config_file in
drj 2003-08-21
NB 2003-09-27: Problem with this solution: os.chmod doesn't work properly on Win32. We need code to manipulate Win32 SECURITY_DESCRIPTORs. This is not easy. Added code to portable.py.
How foundcustomer
Evidence[1] <http://info.ravenbrook.com/mail/2003/05/19/20-59-59/0.txt>
Observed in1.5.3
Created byNick Barnes
Created on2003-05-20 14:31:39
Last modified byGareth Rees
Last modified on2010-10-07 12:07:12
History2003-05-20 NB Created.
2003-08-12 NB Analysis.
2003-08-21 DRJ Closed.
2003-09-27 NB Reopened, analysis extended, reclosed.


Change Effect Date User Description
57337 closed 2003-09-17 12:44:34 Nick Barnes os.chmod doesn't work on Windows, so write a new routine to achieve it and put it in a new module portable.py.
53699 closed 2003-08-21 17:20:22 David Jones p4dti: hiding perforce password in file