0

I'm trying to use a Python's subprocess.Popen to build up a module for Python bindings to a command line interface; pretty much there as far as the CLI-bindings go, but I really want to be able to mask some "private" arguments.

The CLI uses account information, and I want to hide the account credentials from a command prompt title. Below is a screen capture of what appears when I use the login method for my CLI-bindings class.

"Private" credential information in prompt title.

I know that I'm using plain text for the password here ('TAIL') but I wanted to simply show the usage of what's going on. See from the image that the full command "sent" using the subprocess.Popen is displayed in the prompt's title.

I recently found that there is a way to programmatically change the title using either os or ctypes, so I could effectively mask, or cover-up, the "private" credentials I don't want shown on the command prompt title like shown here:

(like shown here)

but is there a better way of disabling "echo-to-title" (for lack of a better name) with subprocess.Popen?

Barmar
  • 741,623
  • 53
  • 500
  • 612
engineerjoe440
  • 11
  • 3
  • `Popen()` shouldn't create a CMD window, it should just return the output of the program that you run with it. – Barmar Feb 27 '20 at 00:15
  • @Barmar , that's right, it's not creating a CMD window in my case, it's being used in a command window. The first picture I linked (since I can't attach directly yet) shows that I'm testing my scripts in the Python interpreter loaded directly from CMD. The `Popen()` shows the command in the CMD title. – engineerjoe440 Feb 27 '20 at 00:20
  • https://ss64.com/nt/title.html – Barmar Feb 27 '20 at 00:24
  • I must not have made myself clear, that's the workaround I found (by using `os` or `ctypes`), but I was wondering if there was a more direct way with `Popen`. – engineerjoe440 Feb 27 '20 at 00:35
  • No, I doubt it. It doesn't know anything about CMD. When the title is configured to show the current command, CMD automatically monitors the processes to get it. – Barmar Feb 27 '20 at 00:39
  • (1). It is not a cmd window; it's a console window. A console or terminal is not a shell, and vice versa. (2) Your ctypes code is passing a wide-character string to an [A]NSI wrapper. It should call wide-character `SetConsoleTitleW`. (3) The cmd shell changes the window title to the executed command when running interactively; it shouldn't do this in batch mode or the `/c` single-command mode that `Popen` with `shell=True` uses. You need to show us the exact `Popen` call. – Eryk Sun Feb 27 '20 at 02:33

1 Answers1

0

in fact passwords should never be passed as command line arguments to an executable.

Reason:

anybody being able to look at running processes and their parameters can see the password.

One solution is, that the parent process. puts the password in an environment variable and the program to be called fetches the parameter from an environment variable.

so the caller would be something like:

import os

os.environ["ACRTAC_PASSWORD"] = "TAIL"
subprocess.Popen([...])

and the acrtac.py

import os
password = os.environ["ACRTAC_PASSWORD"]
gelonida
  • 5,327
  • 2
  • 23
  • 41
  • Thank you @gelonida, but that doesn't help answer my root question. Do you know of any way to make `Popen()` mask the title of CMD? – engineerjoe440 Feb 27 '20 at 01:14
  • Well as I said hiding the critical password from the cmd window is nice, but not really safe. as you can still find the password with a process explorer or on unix like systems with `ps`. So independent of your question I suggest to change the code, such, that it does not pass confidential information as command line parameter. But I do understand, that you do not accept my answer as a solution. You might try to call something (I don't have a windows machine to test) `Popen(["cmd.exe", "/title", "title", "/c", "python.exe", "param1", "param2", "param3"])` – gelonida Feb 27 '20 at 01:35
  • what will probably also work is, that if the program, that is calling subprocess.Popen is already started in a cmd window. In that case the subprocess should be called in the already existing cmd window and as far as I remember the title would not change – gelonida Feb 27 '20 at 01:41
  • The process environment is a field in the [process parameters](https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-rtl_user_process_parameters) that can be read almost as easily as the command line. It's slightly more obfuscated in that the Windows API doesn't document the field offset. But common, free tools such as Microsoft's own Process Explorer quite easily display the environment of a process. Preventing this would require creating the process with a custom security descriptor that denies standard users the right to open a handle with `PROCESS_VM_READ` access. – Eryk Sun Feb 27 '20 at 02:50
  • Hi erik, perhaps things are different on windows than on linux. as far as I know only the process owner could see the environment whereas any user could see the running processes and their arguments. – gelonida Feb 27 '20 at 07:45
  • if the env is really as easy visible as process arguments you write the password into a file, which could be read and deleted by the child process. In this case you had only a small time window during startup, where the password would be exposed – gelonida Feb 27 '20 at 07:50