This replaces the command line args with Xs for bitcoin-cli so that passwords and private keys can not be observed in the process table while it executes. This trick is borrowed from the mysql codebase.
simple fix to mask command line arguments after they are copied #7122
pull robegan21 wants to merge 1 commits into bitcoin:master from robegan21:MaskCommandLineArgs changing 1 files +10 −0-
robegan21 commented at 9:44 AM on November 28, 2015: none
-
simple fix to mask command line arguments after they are copied a05df4cb21
-
gmaxwell commented at 10:00 AM on November 28, 2015: contributor
Er. This would prevent me from figuring out which of my daemons was testnet/mainnet/regtest... and still doesn't make it actually secure.
-
-
pstratem commented at 10:05 AM on November 29, 2015: contributor
concept ack
-
paveljanik commented at 10:49 AM on November 29, 2015: contributor
I'd rather see any such possibility to enter sensitive information on the command line to be removed. It is not only
psoutput, but also history etc. - jonasschnelli added the label Utils and libraries on Nov 29, 2015
-
laanwj commented at 9:13 AM on November 30, 2015: member
This provides a false sense of security. There is a time window in which the arguments are visible, it may be possible to time this exactly, if not then the brute force 'request the process list in a tight loop' would work to get the credentials at least some of the time (once would be enough.)
Under Linux you can use the
hidepidmount option: http://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ to hide process information (such as command line, environment) between users.I'd rather see any such possibility to enter sensitive information on the command line to be removed
But it's hard to know what is sensitive information.
At least the
walletpassphrasecould be asked on the console. This was considered in the past, but surprisingly difficult to do in a platform-independent and secure way. A dependency on GNU readline isn't deemed worth it.(the possibility to read an argument from an arbitrary file or file descriptor may be useful, though, similar to
bitcoin-tx's registers)(the party line used to be "use the bitrpc python script to enter the passphrase", but this script was unmaintained and doesn't exist anymore as of #6507)
-
petertodd commented at 11:43 AM on December 5, 2015: contributor
Sigh, yeah, NACK based on false sense of security.
Definitely an issue worth fixing somehow though.
-
laanwj commented at 12:40 PM on December 7, 2015: member
Simplest solution: what about a bitcoin-cli mode that reads the input as a line from stdin instead of the command line?
-
GIJensen commented at 3:15 PM on December 7, 2015: none
Giving bitcoin-cli an interactive mode? I like that idea. "bitcoin-cli -i/--interactive" to enable "stdin mode". I think it'd be a nice step for people who rely on bitcoin-cli.
-
MarcoFalke commented at 3:43 PM on December 7, 2015: member
+1 I hate to use bitcoin-cli because you have to type the same stuff all over again in the terminal for every call.
-
laanwj commented at 4:28 PM on December 7, 2015: member
I'm not talking about an interactive mode. Interactive mode is less straightforward to implement, e.g. nice prompt handling, intermediate variables, etc. It would be useful but I think it'd be better to write a different script/application for that, e.g. based on a Python (or Javascript) shell.
No, what I mean is simply to read the input (once) from stdin so a script or user using
bitcoin-clican pipe in the password instead of specifying it on the command line where it can get intercepted. -
GIJensen commented at 4:43 PM on December 7, 2015: none
I understand, +1
-
- laanwj closed this on Jan 29, 2016
- DrahtBot locked this on Feb 15, 2022
