|Title||Perforce user password is disclosed on command line|
|Assigned user||David Jones|
|Description||When the P4DTI issues Perforce commands, it does so by issuing a system command including all relevant options on the command line, including the password with -P. The command line can be obtained with various system tools such as 'ps', so other users on the system can readily obtain the P4DTI Perforce user's password.|
|Analysis||Reported by a customer .|
We could use the environment variable P4PASSWD, but this is still available to other users (via ps -e). Or we could create a p4config file and use P4CONFIG, which then makes this a question of file permissions, over which we have more control.
Soltution: Place in file. Controlled with p4_create_config_file in
NB 2003-09-27: Problem with this solution: os.chmod doesn't work properly on Win32. We need code to manipulate Win32 SECURITY_DESCRIPTORs. This is not easy. Added code to portable.py.
|Created by||Nick Barnes|
|Created on||2003-05-20 14:31:39|
|Last modified by||Gareth Rees|
|Last modified on||2010-10-07 12:07:12|
|History||2003-05-20 NB Created.|
2003-08-12 NB Analysis.
2003-08-21 DRJ Closed.
2003-09-27 NB Reopened, analysis extended, reclosed.
|57337||closed||2003-09-17 12:44:34||Nick Barnes||os.chmod doesn't work on Windows, so write a new routine to achieve it and put it in a new module portable.py.|
|53699||closed||2003-08-21 17:20:22||David Jones||p4dti: hiding perforce password in file|