securely passing a password to subprocess.Popen via environment
up vote
4
down vote
favorite
I would like to securely ask a password to a user and then pass it to subprocess.Popen to run a command that requires it.
I have seen this question and that one, but I wonder if I can securely pass the password via the subprocess environment like that:
import subprocess, os
user_password = input("what is you password?")
my_env = os.environ.copy()
my_env["userpass"] = user_password
my_command = "python --version"
subprocess.Popen(my_command, env=my_env)
Will the password be flushed once the python script is closed ? I have look at the subprocess documentation but it's not explained.
When I add this line print(os.environ['userpass'])
at the end of my code to print the OS environment, I can retrieve the user password. Do it means that the password can be access by the other running processes ?
Edit: I can't pipe the password as the command I use doesn't read its password from standard input
python security passwords subprocess
|
show 4 more comments
up vote
4
down vote
favorite
I would like to securely ask a password to a user and then pass it to subprocess.Popen to run a command that requires it.
I have seen this question and that one, but I wonder if I can securely pass the password via the subprocess environment like that:
import subprocess, os
user_password = input("what is you password?")
my_env = os.environ.copy()
my_env["userpass"] = user_password
my_command = "python --version"
subprocess.Popen(my_command, env=my_env)
Will the password be flushed once the python script is closed ? I have look at the subprocess documentation but it's not explained.
When I add this line print(os.environ['userpass'])
at the end of my code to print the OS environment, I can retrieve the user password. Do it means that the password can be access by the other running processes ?
Edit: I can't pipe the password as the command I use doesn't read its password from standard input
python security passwords subprocess
2
I'd pipe it into the subprocess. Trying to hide it in the environment is maybe marginally better than on the cmdline, but it's still accessible/proc/<pid>/environ
(in linux at least).
– jedwards
Nov 9 at 20:26
It looks like the environment trick is just as risky on Windows too, btw (here)
– jedwards
Nov 9 at 20:30
Thanks for your help! Regarding cmdline. When you say cmdline, you mean this: I run the command directly in Windows command prompt, wait for the command to ask the password and then I type it? Is this unsafe?
– Enora
Nov 9 at 20:48
regarding pipe: do you mean doing something like this stackoverflow.com/a/41094357/3154274
– Enora
Nov 9 at 20:49
(a) no that's safe, I mean when you first type the name of your program to call it -- that's the line I was referring to, not anything you enter subsequently. (b) Yes, that's what I mean re: piping it.
– jedwards
Nov 9 at 20:51
|
show 4 more comments
up vote
4
down vote
favorite
up vote
4
down vote
favorite
I would like to securely ask a password to a user and then pass it to subprocess.Popen to run a command that requires it.
I have seen this question and that one, but I wonder if I can securely pass the password via the subprocess environment like that:
import subprocess, os
user_password = input("what is you password?")
my_env = os.environ.copy()
my_env["userpass"] = user_password
my_command = "python --version"
subprocess.Popen(my_command, env=my_env)
Will the password be flushed once the python script is closed ? I have look at the subprocess documentation but it's not explained.
When I add this line print(os.environ['userpass'])
at the end of my code to print the OS environment, I can retrieve the user password. Do it means that the password can be access by the other running processes ?
Edit: I can't pipe the password as the command I use doesn't read its password from standard input
python security passwords subprocess
I would like to securely ask a password to a user and then pass it to subprocess.Popen to run a command that requires it.
I have seen this question and that one, but I wonder if I can securely pass the password via the subprocess environment like that:
import subprocess, os
user_password = input("what is you password?")
my_env = os.environ.copy()
my_env["userpass"] = user_password
my_command = "python --version"
subprocess.Popen(my_command, env=my_env)
Will the password be flushed once the python script is closed ? I have look at the subprocess documentation but it's not explained.
When I add this line print(os.environ['userpass'])
at the end of my code to print the OS environment, I can retrieve the user password. Do it means that the password can be access by the other running processes ?
Edit: I can't pipe the password as the command I use doesn't read its password from standard input
python security passwords subprocess
python security passwords subprocess
edited Nov 10 at 18:21
asked Nov 9 at 20:14
Enora
1,78422339
1,78422339
2
I'd pipe it into the subprocess. Trying to hide it in the environment is maybe marginally better than on the cmdline, but it's still accessible/proc/<pid>/environ
(in linux at least).
– jedwards
Nov 9 at 20:26
It looks like the environment trick is just as risky on Windows too, btw (here)
– jedwards
Nov 9 at 20:30
Thanks for your help! Regarding cmdline. When you say cmdline, you mean this: I run the command directly in Windows command prompt, wait for the command to ask the password and then I type it? Is this unsafe?
– Enora
Nov 9 at 20:48
regarding pipe: do you mean doing something like this stackoverflow.com/a/41094357/3154274
– Enora
Nov 9 at 20:49
(a) no that's safe, I mean when you first type the name of your program to call it -- that's the line I was referring to, not anything you enter subsequently. (b) Yes, that's what I mean re: piping it.
– jedwards
Nov 9 at 20:51
|
show 4 more comments
2
I'd pipe it into the subprocess. Trying to hide it in the environment is maybe marginally better than on the cmdline, but it's still accessible/proc/<pid>/environ
(in linux at least).
– jedwards
Nov 9 at 20:26
It looks like the environment trick is just as risky on Windows too, btw (here)
– jedwards
Nov 9 at 20:30
Thanks for your help! Regarding cmdline. When you say cmdline, you mean this: I run the command directly in Windows command prompt, wait for the command to ask the password and then I type it? Is this unsafe?
– Enora
Nov 9 at 20:48
regarding pipe: do you mean doing something like this stackoverflow.com/a/41094357/3154274
– Enora
Nov 9 at 20:49
(a) no that's safe, I mean when you first type the name of your program to call it -- that's the line I was referring to, not anything you enter subsequently. (b) Yes, that's what I mean re: piping it.
– jedwards
Nov 9 at 20:51
2
2
I'd pipe it into the subprocess. Trying to hide it in the environment is maybe marginally better than on the cmdline, but it's still accessible
/proc/<pid>/environ
(in linux at least).– jedwards
Nov 9 at 20:26
I'd pipe it into the subprocess. Trying to hide it in the environment is maybe marginally better than on the cmdline, but it's still accessible
/proc/<pid>/environ
(in linux at least).– jedwards
Nov 9 at 20:26
It looks like the environment trick is just as risky on Windows too, btw (here)
– jedwards
Nov 9 at 20:30
It looks like the environment trick is just as risky on Windows too, btw (here)
– jedwards
Nov 9 at 20:30
Thanks for your help! Regarding cmdline. When you say cmdline, you mean this: I run the command directly in Windows command prompt, wait for the command to ask the password and then I type it? Is this unsafe?
– Enora
Nov 9 at 20:48
Thanks for your help! Regarding cmdline. When you say cmdline, you mean this: I run the command directly in Windows command prompt, wait for the command to ask the password and then I type it? Is this unsafe?
– Enora
Nov 9 at 20:48
regarding pipe: do you mean doing something like this stackoverflow.com/a/41094357/3154274
– Enora
Nov 9 at 20:49
regarding pipe: do you mean doing something like this stackoverflow.com/a/41094357/3154274
– Enora
Nov 9 at 20:49
(a) no that's safe, I mean when you first type the name of your program to call it -- that's the line I was referring to, not anything you enter subsequently. (b) Yes, that's what I mean re: piping it.
– jedwards
Nov 9 at 20:51
(a) no that's safe, I mean when you first type the name of your program to call it -- that's the line I was referring to, not anything you enter subsequently. (b) Yes, that's what I mean re: piping it.
– jedwards
Nov 9 at 20:51
|
show 4 more comments
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53232728%2fsecurely-passing-a-password-to-subprocess-popen-via-environment%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
I'd pipe it into the subprocess. Trying to hide it in the environment is maybe marginally better than on the cmdline, but it's still accessible
/proc/<pid>/environ
(in linux at least).– jedwards
Nov 9 at 20:26
It looks like the environment trick is just as risky on Windows too, btw (here)
– jedwards
Nov 9 at 20:30
Thanks for your help! Regarding cmdline. When you say cmdline, you mean this: I run the command directly in Windows command prompt, wait for the command to ask the password and then I type it? Is this unsafe?
– Enora
Nov 9 at 20:48
regarding pipe: do you mean doing something like this stackoverflow.com/a/41094357/3154274
– Enora
Nov 9 at 20:49
(a) no that's safe, I mean when you first type the name of your program to call it -- that's the line I was referring to, not anything you enter subsequently. (b) Yes, that's what I mean re: piping it.
– jedwards
Nov 9 at 20:51