Question about QProcess and deleting a file
-
@JNBarchan what if the called external process (the one invoked by QProcess) is responsible for reading and deleting the arguments file?
@Pablo-J.-Rogina It still poses the "pull the plug of PC" vulnerability
-
@All
Thanks for comments so far.I have no control over the subprocess. I cannot make it delete the file. Writing a "wrapper" external program to invoke & delete doesn't get me anywhere, as I have the same issues. I am aware of the security issues, and no perfect solution, I'm just looking for some "reasonable" (and not too complex). Remember, I've said I know this issue is not strictly a Qt one, I'm just looking for confirmation on my approaches.
For my two questions I'd just like:
-
The closest I can think of is wait for "subprocess started" signal in Qt (so at least I know it's gotten going), then 1 second timer till delete 'coz I gotta believe it must get it read on start up. Just confirming you guys don't see anything better? (I think @VRonin may have confirmed this.)
-
From the Qt I have to create this file. It could be via a Qt "open this filename I've chosen" function or it could be via a Qt "create temporary filename" function. Do either of these offer a "automatically delete on program exit" flag? (Again, @VRonin may be saying he is not aware of such a flag, and therefore not offered from Qt. I think I recall one at the OS level, maybe in my Windows programming; if you guys don't know I need to go look it up and then come back?)
Tx :)
-
-
@mrjj said in Question about QProcess and deleting a file:
Hi
What OS command are we talking about ?I wrote:
I can test under Linux but not under Windows
Target is both. I'll take whatever I can get. I love Linux and hate Windoze; I wouldn't touch a Mac under any circumstances ;-)
-
Hi
I think
http://doc.qt.io/qt-5/qtemporaryfile.html
will auto delete as soon as QTemporaryFile instance is. -
@mrjj said in Question about QProcess and deleting a file:
Hi
What OS command are we talking about ?I wrote:
I can test under Linux but not under Windows
Target is both. I'll take whatever I can get. I love Linux and hate Windoze; I wouldn't touch a Mac under any circumstances ;-)
-
Oh, i mean what OS command are you calling/running ?
? I develop under Linux (only). Users could be running either Linux or Windows. Solution will work for whatever it works for. If it doesn't work under Windoze that's their fault for running a crappy OS. If if doesn't work under Linux I won't be able to test it, and won't be happy!
-
Hi
I think
http://doc.qt.io/qt-5/qtemporaryfile.html
will auto delete as soon as QTemporaryFile instance is.@mrjj said in Question about QProcess and deleting a file:
Hi
I think
http://doc.qt.io/qt-5/qtemporaryfile.html
will auto delete as soon as QTemporaryFile instance is.Yes, thank you. It says:
QTemporaryFile is used to create unique temporary files safely. The file itself is created by calling open(). The name of the temporary file is guaranteed to be unique (i.e., you are guaranteed to not overwrite an existing file), and the file will subsequently be removed upon destruction of the QTemporaryFile object
This is better than nothing. However because it doesn't say whether it uses a native OS facility (if available) for this, if it just implements in its own code that won't help if parent Qt program dies without cleaning up. And I really don't want to leave an external file with a password in it lying around in the file system potentially....
-
QTemporaryFile (if not leaked) guarantees the file is removed when the program closes (unless you explicitly tell it not to delete it). The problem with it is that if the program crashes or gets killed that file will still live. That's why I suggest managing the life of the file in a separate, very simple program that has very limited chance to crash.
When I use QTemporaryFile I also always set up a function like this that removes any leftover temporary file from a previous crash and call it at startup
Edit:
I really don't want to leave an external file with a password in it lying around in the file system potentially....
I don't think you can ever guarantee this.
Edit2:
If security is really a concern then you'd need to even prevent recovery of the file and this is basically impossible on SSD.
I think you are concerned about security while a fatal security flaw was introduced by something you have no control over. If you have to live with the vulnerability, roll with it"La mort n'est rien, mais vivre vaincu et sans gloire, c'est mourir tous les jours"
~Napoleon BonaparteOn a crusade to banish setIndexWidget() from the holy land of Qt
-
QTemporaryFile (if not leaked) guarantees the file is removed when the program closes (unless you explicitly tell it not to delete it). The problem with it is that if the program crashes or gets killed that file will still live. That's why I suggest managing the life of the file in a separate, very simple program that has very limited chance to crash.
When I use QTemporaryFile I also always set up a function like this that removes any leftover temporary file from a previous crash and call it at startup
Edit:
I really don't want to leave an external file with a password in it lying around in the file system potentially....
I don't think you can ever guarantee this.
Edit2:
If security is really a concern then you'd need to even prevent recovery of the file and this is basically impossible on SSD.
I think you are concerned about security while a fatal security flaw was introduced by something you have no control over. If you have to live with the vulnerability, roll with it@VRonin
Yeah OK.I've started to look up what i had in mind. Here's Linux
man open(2):O_TMPFILE (since Linux 3.11) Create an unnamed temporary file. The pathname argument specifies a directory; an unnamed inode will be created in that directory's filesystem. Anything written to the resulting file will be lost when the last file descriptor is closed, unless the file is given a name.That's what I had in mind, because you'll see it doesn't matter if the creating process dies. But I just realised this gives the file no name, so it won't be so useful for passing to another program!!
OK, so
man 3 tmpfile:The tmpfile() function opens a unique temporary file in binary read/write (w+b) mode. The file will be automatically deleted when it is closed or the program terminates.This does create a named file, and returns an open handle. Again note the "deleted when program terminates" (assuming it's an OS facility, if they only mean C runtime clean-up it's no good... I need to check, sigh.). I think this is the closest to what I recall...
As I said, I'm not fanatical over security, I know it will vulnerable, just looking for a reasonable deal.
-
OK, I guess I'll have to reveal what this subprocess is!
mysqldump, to do database backups. It needs username + password to connect to MySQL server as.If you look at how MySQL Workbench invokes it, it uses
mysqldump's acceptance of command-line:mysqldump --defaults-file="/tmp/tmpsYWm9r/extraparams.cnf" ...to pass (just) the password in that file. I do not know what flags it might use to open that file.
Now, at present I am just using command-line:
mysqldump --user=... --password=... ...The output --- which my user sees --- starts with:
mysqldump: [Warning] Using a password on the command line interface can be insecure.I am aware of why that is a risk. It would be dishonest of me to censor that. Although I'm beginning to think that external file is a hassle and has holes, so should I bother to change code to it? But if Workbench chooses to do it this way shouldn't I make the same effort? And if my kind of users see that warning they'll have kittens, so I do think I need to do the external file after all as best I can...
-
OK, I guess I'll have to reveal what this subprocess is!
mysqldump, to do database backups. It needs username + password to connect to MySQL server as.If you look at how MySQL Workbench invokes it, it uses
mysqldump's acceptance of command-line:mysqldump --defaults-file="/tmp/tmpsYWm9r/extraparams.cnf" ...to pass (just) the password in that file. I do not know what flags it might use to open that file.
Now, at present I am just using command-line:
mysqldump --user=... --password=... ...The output --- which my user sees --- starts with:
mysqldump: [Warning] Using a password on the command line interface can be insecure.I am aware of why that is a risk. It would be dishonest of me to censor that. Although I'm beginning to think that external file is a hassle and has holes, so should I bother to change code to it? But if Workbench chooses to do it this way shouldn't I make the same effort? And if my kind of users see that warning they'll have kittens, so I do think I need to do the external file after all as best I can...
@JNBarchan said in Question about QProcess and deleting a file:
OK, I guess I'll have to reveal what this subprocess is!
mysqldumpThat makes everything much more simple. The subprocess has no vulnerability, you can store your credential in encrypted format so, even if the file remains around, it will be just gibberish to any attacher.
https://dev.mysql.com/doc/refman/5.7/en/mysql-config-editor.html
"La mort n'est rien, mais vivre vaincu et sans gloire, c'est mourir tous les jours"
~Napoleon BonaparteOn a crusade to banish setIndexWidget() from the holy land of Qt
-
@JNBarchan said in Question about QProcess and deleting a file:
OK, I guess I'll have to reveal what this subprocess is!
mysqldumpThat makes everything much more simple. The subprocess has no vulnerability, you can store your credential in encrypted format so, even if the file remains around, it will be just gibberish to any attacher.
https://dev.mysql.com/doc/refman/5.7/en/mysql-config-editor.html
@VRonin
Unfortunately not :( While I might be prepared to use this approach, my end users are not. They won't have/create the file, they won't be prepared to run the configurer, and they generally will not accept or cooperate.I knew about this avenue, and I do respect your suggestion, but the purpose of this question is to emulate just what MySQL Workbench does (as I've shown above) in precisely the same circumstances, i.e. no
.mylogin.cnffile at all, let alone encrypted. -
OK, I guess I'll have to reveal what this subprocess is!
mysqldump, to do database backups. It needs username + password to connect to MySQL server as.If you look at how MySQL Workbench invokes it, it uses
mysqldump's acceptance of command-line:mysqldump --defaults-file="/tmp/tmpsYWm9r/extraparams.cnf" ...to pass (just) the password in that file. I do not know what flags it might use to open that file.
Now, at present I am just using command-line:
mysqldump --user=... --password=... ...The output --- which my user sees --- starts with:
mysqldump: [Warning] Using a password on the command line interface can be insecure.I am aware of why that is a risk. It would be dishonest of me to censor that. Although I'm beginning to think that external file is a hassle and has holes, so should I bother to change code to it? But if Workbench chooses to do it this way shouldn't I make the same effort? And if my kind of users see that warning they'll have kittens, so I do think I need to do the external file after all as best I can...
-
I think this might be more secure but I'm not 100% sure. You could use QProcessEnvironment to assign your password to the
MYSQL_PWDenvironment variable. -
@mchinand
Ooohhh, that's interesting. Where do you get theMYSQL_PWDenvironment variable documentation from, please?@JNBarchan said in Question about QProcess and deleting a file:
@mchinand
Ooohhh, that's interesting. Where do you get theMYSQL_PWDenvironment variable documentation from, please?See this part of the QProcess help. Your mysqldump process will use the value of MYSQL_PWD for the password if you don't specify it as a command-line argument. After further searching, it's probably not any more secure since there are ways to get a process' environment according to the MySQL manual (bottom of that page)
-
@JNBarchan said in Question about QProcess and deleting a file:
@mchinand
Ooohhh, that's interesting. Where do you get theMYSQL_PWDenvironment variable documentation from, please?See this part of the QProcess help. Your mysqldump process will use the value of MYSQL_PWD for the password if you don't specify it as a command-line argument. After further searching, it's probably not any more secure since there are ways to get a process' environment according to the MySQL manual (bottom of that page)
@mchinand
I looked at the MySQL manual page, thanks. It was a good idea I didn't know about, and is useful information. Unfortunately, though, it actually describes environment variable as "extremely insecure", one rank down from passing on OS command-line, so probably not. But a good suggestion! -
@mchinand
I looked at the MySQL manual page, thanks. It was a good idea I didn't know about, and is useful information. Unfortunately, though, it actually describes environment variable as "extremely insecure", one rank down from passing on OS command-line, so probably not. But a good suggestion!@JNBarchan
But on the practical side, using MYSQL_PWD remove the race condition on when to remove the file. ?Also, if you had a small launcher app, that you run from the master
GUI, that fires up and starts mysqldump and then terminates, would that not remove the environment and MYSQL_PWD in a very short time frame, making the user ability to list the password using ps way slimmer?Mind you im comparing this with a text file with a plain password that will exit for a second or longer. ( to be on safe side)
I mean, a file not hidden from lsof either and if the user have root access, both approaches are equally easy to hax.
I assume you will be using a read only user account for backup.
-
@JNBarchan
But on the practical side, using MYSQL_PWD remove the race condition on when to remove the file. ?Also, if you had a small launcher app, that you run from the master
GUI, that fires up and starts mysqldump and then terminates, would that not remove the environment and MYSQL_PWD in a very short time frame, making the user ability to list the password using ps way slimmer?Mind you im comparing this with a text file with a plain password that will exit for a second or longer. ( to be on safe side)
I mean, a file not hidden from lsof either and if the user have root access, both approaches are equally easy to hax.
I assume you will be using a read only user account for backup.
But on the practical side, using MYSQL_PWD remove the race condition on when to remove the file. ?
Yes, but then so would passing
--password=...on the command-line.Also, if you had a small launcher app, that you run from the master
GUI, that fires up and starts mysqldump and then terminates, would that not remove the environment and MYSQL_PWD in a very short time frame, making the user ability to list the password using ps way slimmer?For the record, no. Because it's using an environment variable passed to the
mysqldumpexecutable, it persists in that process's space for the duration, and can be found viaps. In that sense, the command-line argument is actually safer, becausemysqldumpobscures this immediately after start up.I assume you will be using a read only user account for backup.
Umm, no actually. Credentials for MySQL are configured into my app from someone at user's site. Chances are, they only even have one account, and that account may well be the
rootone, wouldn't have another one for writing to the database let alone reading from it.... Don't shoot me, I'm only the messenger. -
But on the practical side, using MYSQL_PWD remove the race condition on when to remove the file. ?
Yes, but then so would passing
--password=...on the command-line.Also, if you had a small launcher app, that you run from the master
GUI, that fires up and starts mysqldump and then terminates, would that not remove the environment and MYSQL_PWD in a very short time frame, making the user ability to list the password using ps way slimmer?For the record, no. Because it's using an environment variable passed to the
mysqldumpexecutable, it persists in that process's space for the duration, and can be found viaps. In that sense, the command-line argument is actually safer, becausemysqldumpobscures this immediately after start up.I assume you will be using a read only user account for backup.
Umm, no actually. Credentials for MySQL are configured into my app from someone at user's site. Chances are, they only even have one account, and that account may well be the
rootone, wouldn't have another one for writing to the database let alone reading from it.... Don't shoot me, I'm only the messenger.@JNBarchan
Oh, i though the environment would die with the calling process.
Yep then clearly it's worse. ( as backup takes comparatively long time)Are you in control of the mysqldump ?
I wondering if a user could simply replace the mysqldump executable with own program and be served the password.
