execute command with sudo has a potential password exposure

[rcaldwel]

Hi. Somewhat new to the tool but I have found that running remote commands with sudo can expose the users sudo password due to the way it's running it with a one liner. Is there something I'm missing? Here is the snip

self._shell.exec_command('echo %s | sudo --stdin --prompt "" %s' % (sudo_password, command))

Anyone with root on that box can see the users password while it's running with a ps command. Also if commands are logged as I have to deal with they will log the sudo command

Thanks for your insight and awesome tool.

[cristii006]

Hi @rcaldwel,

Firstly thanks for your kind words. Regarding the problem you described can you provide the usage of ps command so that I can obtain the users password as I was able only to obtain the command itself and not the password. Also logging a command is something that the users decide to do or not by taking multiple things into account, one of them is that passwords can also be logged so not much that can be done here.

Best regards,
Cristi

[mihaiparvu]

Reproduced the problem, but still trying to figure it out how to make it more secure. If anyone has some ideas feel free to share them.

I wouldn't consider this as a critical priority though, as most of the users probably use SSHLibrary in isolated environments (with test users) created specifically for automated testing.

I will leave this ticket open, because is a valid concern and will think further on a solution.