Solved Question about QProcess and deleting a file
-
I have a question that is really a cross-platform, OS-specific one independent of Qt. But it arises in the context of
QProcess
, and if you don't mind my asking here I'd be interested in expert views.My Qt GUI app has to invoke an OS command which accepts some "arguments" placed in an external file, whose name is passed on the command-line.
This "temporary" file must be created & populated from Qt before running the process, and needs to deleted by same. Furthermore, the information is "sensitive" --- it's actually a password --- and should be removed at the earliest legitimate opportunity. [Now, I know about how non-secure this is, it's not my fault, it's how the process works, so that's not the question, please.]
-
When exactly would you delete this file from the calling application? We know when we've started the process, but technically we don't know when it has actually read the file contents. The process may not produce any output and might not even exit, so we can't use those signals. Would you just, say, set off a timer for 1 second from receiving "process started" signal, and trust that the app code reads the content on start-up and has had time to do so? I can't think of anything better. I can test under Linux but not under Windows, I'll just have to hope that deleting the file there while subprocess running is OK.
-
I can't rely for certain on my parent app receiving any such a signal after starting the sub-process (e.g. if it gets killed immediately after populating the file). I think I recall both OSs having a "delete temporary file on something like file close or program exit" native flag which can be passed to something like
open(2)
or other native file-open function. Does Qt open file offer this (or via a "create temporary file with guaranteed delete" function)?
-
-
First question? do you have control on the child process? can you make it send outputs after it read the file?
- this is a security problem, the question is: how long can you live with the file being alive before your security risk becomes unbearable? If the answer is "I can leave it laying around for as long as the program is running" then it's straightforward, if >1sec is a problem then use a timer.
- I'm not aware of a cross platform capability similar to what you describe. What I'd suggest is just spawning a 3rd process that is a small program that holds the creates the file in a QTemporaryFile and quits when you want to delete the file
There is no 100% secure way of handling this. if all 3 applications get killed abruptly (someone pulls the plug from the PC) the file will potentially live forever
-
@JNBarchan what if the called external process (the one invoked by QProcess) is responsible for reading and deleting the arguments file?
-
@Pablo-J.-Rogina It still poses the "pull the plug of PC" vulnerability
-
Hi
What OS command are we talking about ? -
@All
Thanks for comments so far.I have no control over the subprocess. I cannot make it delete the file. Writing a "wrapper" external program to invoke & delete doesn't get me anywhere, as I have the same issues. I am aware of the security issues, and no perfect solution, I'm just looking for some "reasonable" (and not too complex). Remember, I've said I know this issue is not strictly a Qt one, I'm just looking for confirmation on my approaches.
For my two questions I'd just like:
-
The closest I can think of is wait for "subprocess started" signal in Qt (so at least I know it's gotten going), then 1 second timer till delete 'coz I gotta believe it must get it read on start up. Just confirming you guys don't see anything better? (I think @VRonin may have confirmed this.)
-
From the Qt I have to create this file. It could be via a Qt "open this filename I've chosen" function or it could be via a Qt "create temporary filename" function. Do either of these offer a "automatically delete on program exit" flag? (Again, @VRonin may be saying he is not aware of such a flag, and therefore not offered from Qt. I think I recall one at the OS level, maybe in my Windows programming; if you guys don't know I need to go look it up and then come back?)
Tx :)
-
-
@mrjj said in Question about QProcess and deleting a file:
Hi
What OS command are we talking about ?I wrote:
I can test under Linux but not under Windows
Target is both. I'll take whatever I can get. I love Linux and hate Windoze; I wouldn't touch a Mac under any circumstances ;-)
-
Hi
I think
http://doc.qt.io/qt-5/qtemporaryfile.html
will auto delete as soon as QTemporaryFile instance is. -
@JNBarchan
Oh, i mean what OS command are you calling/running ? -
Oh, i mean what OS command are you calling/running ?
? I develop under Linux (only). Users could be running either Linux or Windows. Solution will work for whatever it works for. If it doesn't work under Windoze that's their fault for running a crappy OS. If if doesn't work under Linux I won't be able to test it, and won't be happy!
-
@mrjj said in Question about QProcess and deleting a file:
Hi
I think
http://doc.qt.io/qt-5/qtemporaryfile.html
will auto delete as soon as QTemporaryFile instance is.Yes, thank you. It says:
QTemporaryFile is used to create unique temporary files safely. The file itself is created by calling open(). The name of the temporary file is guaranteed to be unique (i.e., you are guaranteed to not overwrite an existing file), and the file will subsequently be removed upon destruction of the QTemporaryFile object
This is better than nothing. However because it doesn't say whether it uses a native OS facility (if available) for this, if it just implements in its own code that won't help if parent Qt program dies without cleaning up. And I really don't want to leave an external file with a password in it lying around in the file system potentially....
-
QTemporaryFile (if not leaked) guarantees the file is removed when the program closes (unless you explicitly tell it not to delete it). The problem with it is that if the program crashes or gets killed that file will still live. That's why I suggest managing the life of the file in a separate, very simple program that has very limited chance to crash.
When I use QTemporaryFile I also always set up a function like this that removes any leftover temporary file from a previous crash and call it at startup
Edit:
I really don't want to leave an external file with a password in it lying around in the file system potentially....
I don't think you can ever guarantee this.
Edit2:
If security is really a concern then you'd need to even prevent recovery of the file and this is basically impossible on SSD.
I think you are concerned about security while a fatal security flaw was introduced by something you have no control over. If you have to live with the vulnerability, roll with it -
@VRonin
Yeah OK.I've started to look up what i had in mind. Here's Linux
man open(2)
:O_TMPFILE (since Linux 3.11) Create an unnamed temporary file. The pathname argument specifies a directory; an unnamed inode will be created in that directory's filesystem. Anything written to the resulting file will be lost when the last file descriptor is closed, unless the file is given a name.
That's what I had in mind, because you'll see it doesn't matter if the creating process dies. But I just realised this gives the file no name, so it won't be so useful for passing to another program!!
OK, so
man 3 tmpfile
:The tmpfile() function opens a unique temporary file in binary read/write (w+b) mode. The file will be automatically deleted when it is closed or the program terminates.
This does create a named file, and returns an open handle. Again note the "deleted when program terminates" (assuming it's an OS facility, if they only mean C runtime clean-up it's no good... I need to check, sigh.). I think this is the closest to what I recall...
As I said, I'm not fanatical over security, I know it will vulnerable, just looking for a reasonable deal.
-
OK, I guess I'll have to reveal what this subprocess is!
mysqldump
, to do database backups. It needs username + password to connect to MySQL server as.If you look at how MySQL Workbench invokes it, it uses
mysqldump
's acceptance of command-line:mysqldump --defaults-file="/tmp/tmpsYWm9r/extraparams.cnf" ...
to pass (just) the password in that file. I do not know what flags it might use to open that file.
Now, at present I am just using command-line:
mysqldump --user=... --password=... ...
The output --- which my user sees --- starts with:
mysqldump: [Warning] Using a password on the command line interface can be insecure.
I am aware of why that is a risk. It would be dishonest of me to censor that. Although I'm beginning to think that external file is a hassle and has holes, so should I bother to change code to it? But if Workbench chooses to do it this way shouldn't I make the same effort? And if my kind of users see that warning they'll have kittens, so I do think I need to do the external file after all as best I can...
-
@JNBarchan said in Question about QProcess and deleting a file:
OK, I guess I'll have to reveal what this subprocess is!
mysqldumpThat makes everything much more simple. The subprocess has no vulnerability, you can store your credential in encrypted format so, even if the file remains around, it will be just gibberish to any attacher.
https://dev.mysql.com/doc/refman/5.7/en/mysql-config-editor.html
-
@VRonin
Unfortunately not :( While I might be prepared to use this approach, my end users are not. They won't have/create the file, they won't be prepared to run the configurer, and they generally will not accept or cooperate.I knew about this avenue, and I do respect your suggestion, but the purpose of this question is to emulate just what MySQL Workbench does (as I've shown above) in precisely the same circumstances, i.e. no
.mylogin.cnf
file at all, let alone encrypted. -
I think this might be more secure but I'm not 100% sure. You could use QProcessEnvironment to assign your password to the
MYSQL_PWD
environment variable. -
@mchinand
Ooohhh, that's interesting. Where do you get theMYSQL_PWD
environment variable documentation from, please? -
@JNBarchan said in Question about QProcess and deleting a file:
@mchinand
Ooohhh, that's interesting. Where do you get theMYSQL_PWD
environment variable documentation from, please?See this part of the QProcess help. Your mysqldump process will use the value of MYSQL_PWD for the password if you don't specify it as a command-line argument. After further searching, it's probably not any more secure since there are ways to get a process' environment according to the MySQL manual (bottom of that page)
-
@mchinand
I looked at the MySQL manual page, thanks. It was a good idea I didn't know about, and is useful information. Unfortunately, though, it actually describes environment variable as "extremely insecure", one rank down from passing on OS command-line, so probably not. But a good suggestion!