I have a sample python script: sample.py. The script takes the argument as the user name and password to connect to some remote server. When I run the script sample.py --username --password , the password is being logged in linux messages files. I understand this is a linux behavior, but wondering if we can do anything within my script to avoid this logging. One way I can think is to provide password in an interactive way. Any other suggestions?
Asked
Active
Viewed 488 times
2
-
Why are your commands being put in the system log file? – Barmar Apr 24 '15 at 09:30
-
For one, `history` will store the script calling with the password included for a while. – ODiogoSilva Apr 24 '15 at 09:32
-
This might help: http://stackoverflow.com/q/157938/2382792 – ρss Apr 24 '15 at 09:39
4 Answers
4
Python has the getpass module to handle both user and password information, though these are provided in an interactive way, as you suggested, but with an additional layer of security. It's also quite simple to use, having the getpass and getuser methods available.
Example:
import getpass
password = getpass.getpass() # Prompts "Password:" automatically
ODiogoSilva
- 2,394
- 1
- 19
- 20
-
I already implemented this. But I'm looking for someway, where I can avoid the interactive way and also not log password in the messages file. – Sandy Apr 24 '15 at 11:04
-
You want to avoid the password being shown in message logs, `history`, and `ps`, right? One possibility would be to store the password in a text file and passing either the file itself or the line with the password? – ODiogoSilva Apr 24 '15 at 11:17
0
this may help:
$ export HISTIGNORE="your_python_script_name *"
This need to be done before you call your script, so you may want to write a shell script which simply call this command and then call your python scripts with args.
Sapocaly
- 11
- 3
-
The problem is not with history. The problem is it is logged in syslog messages file. – Sandy Apr 24 '15 at 10:14
0
Have a quick read of this answer: Command lines will always be visible
In short, you shouldn't be passing passwords as command line parameters because they are visible in lots of places. MySQL for example says Warning: Using a password on the command line interface can be insecure. when you try to do what you're suggesting.
Passing it interactively with getpass certainly fixes the problem.
A different solution would be to copy sudo -S which allows you to provide the password via stdin (or another file descriptor if you're feeling adventurous). That would then become:
import sys
sys.stdin.readline().rstrip()
The rstrip is to remove a trailing new line (which sudo -S also expects), but it would also remove any whitespace that is part of the password. If the trailing new line is not desired:
import sys
sys.stdin.read()
Another approach is to use environment variables. This relies on OS security, but is apparently valid for any recent Linux, and is recommended by 12 factor. For a mature deployment environment, this would be my favored approach.
Finally, there is the option of storing the password in a file and relying on file system permissions to control access. There is a certain blunt simplicity to this in my opinion.
The 'best' solution may be to have a combination of these methods with a fall-back between various methods and a MySQL-style warning on the insecure method originally used.
Community
- 1
- 1
Alex Taylor
- 8,343
- 4
- 25
- 40
0
I figured out the best way is to disable it via sudo command: Cmnd_Alias SCRIPT = Defaults!SCRIPT !syslog
The above lines in sudoers.conf should help from preventing the logging in syslog.
Sandy
- 187
- 3
- 16