Bug 15671 - invalid client warning about command line passwords
Summary: invalid client warning about command line passwords
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.20.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Douglas Bagnall
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-06-26 22:52 UTC by Douglas Bagnall
Modified: 2024-07-03 02:36 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Douglas Bagnall 2024-06-26 22:52:09 UTC
A command like 

 $ samba-tool domain leave -U alice

should not say

  WARNING: Using passwords on command line is insecure. Installing the
  setproctitle python module will hide these from shortly after program
  start.

because no password was used. Yet it does.
Comment 1 Rowland Penny 2024-06-27 05:56:03 UTC
(In reply to Douglas Bagnall from comment #0)
Well yes, a password hasn't been entered (yet), but what does the next line (as printed to screen) ask for ?

Or to put it another way, the message should be something like 'Using passwords over the network is insecure, please install the python setproctitle module'
Comment 2 Douglas Bagnall 2024-06-27 08:06:57 UTC
(In reply to Rowland Penny from comment #1)
This message is not about passwords over the network, which setproctitle won't affect.

It is about what gets saved in the /proc. So if you go 

 $ samba-tool domain leave -UAdministrator%secretsecret

what you would see with `ps` etc is "samba-tool domain leave -UAdministrator", so spies on your computer can't find out the password.

If you don't have python3-setproctitle installed, it can't do that, so it does the warning. But if your command line was 

$ samba-tool domain leave -UAdministrator

and it prompts you for the password, the password isn't going to be saved in /proc and there's no danger, hence no need for the warning.
Comment 3 Samba QA Contact 2024-07-03 02:36:20 UTC
This bug was referenced in samba master:

f3b240da5c209a51fa43de23e8ecfea2f32bbfd5