securely passing a password to subprocess.Popen via environment











up vote
4
down vote

favorite












I would like to securely ask a password to a user and then pass it to subprocess.Popen to run a command that requires it.



I have seen this question and that one, but I wonder if I can securely pass the password via the subprocess environment like that:



import subprocess, os

user_password = input("what is you password?")

my_env = os.environ.copy()

my_env["userpass"] = user_password

my_command = "python --version"

subprocess.Popen(my_command, env=my_env)


Will the password be flushed once the python script is closed ? I have look at the subprocess documentation but it's not explained.



When I add this line print(os.environ['userpass']) at the end of my code to print the OS environment, I can retrieve the user password. Do it means that the password can be access by the other running processes ?



Edit: I can't pipe the password as the command I use doesn't read its password from standard input






python security passwords subprocess







share|improve this question




















  • 2




    I'd pipe it into the subprocess. Trying to hide it in the environment is maybe marginally better than on the cmdline, but it's still accessible /proc/<pid>/environ (in linux at least).
    – jedwards
    Nov 9 at 20:26












  • It looks like the environment trick is just as risky on Windows too, btw (here)
    – jedwards
    Nov 9 at 20:30












  • Thanks for your help! Regarding cmdline. When you say cmdline, you mean this: I run the command directly in Windows command prompt, wait for the command to ask the password and then I type it? Is this unsafe?
    – Enora
    Nov 9 at 20:48












  • regarding pipe: do you mean doing something like this stackoverflow.com/a/41094357/3154274
    – Enora
    Nov 9 at 20:49










  • (a) no that's safe, I mean when you first type the name of your program to call it -- that's the line I was referring to, not anything you enter subsequently. (b) Yes, that's what I mean re: piping it.
    – jedwards
    Nov 9 at 20:51















up vote
4
down vote

favorite












I would like to securely ask a password to a user and then pass it to subprocess.Popen to run a command that requires it.



I have seen this question and that one, but I wonder if I can securely pass the password via the subprocess environment like that:



import subprocess, os

user_password = input("what is you password?")

my_env = os.environ.copy()

my_env["userpass"] = user_password

my_command = "python --version"

subprocess.Popen(my_command, env=my_env)


Will the password be flushed once the python script is closed ? I have look at the subprocess documentation but it's not explained.



When I add this line print(os.environ['userpass']) at the end of my code to print the OS environment, I can retrieve the user password. Do it means that the password can be access by the other running processes ?



Edit: I can't pipe the password as the command I use doesn't read its password from standard input






python security passwords subprocess







share|improve this question




















  • 2




    I'd pipe it into the subprocess. Trying to hide it in the environment is maybe marginally better than on the cmdline, but it's still accessible /proc/<pid>/environ (in linux at least).
    – jedwards
    Nov 9 at 20:26












  • It looks like the environment trick is just as risky on Windows too, btw (here)
    – jedwards
    Nov 9 at 20:30












  • Thanks for your help! Regarding cmdline. When you say cmdline, you mean this: I run the command directly in Windows command prompt, wait for the command to ask the password and then I type it? Is this unsafe?
    – Enora
    Nov 9 at 20:48












  • regarding pipe: do you mean doing something like this stackoverflow.com/a/41094357/3154274
    – Enora
    Nov 9 at 20:49










  • (a) no that's safe, I mean when you first type the name of your program to call it -- that's the line I was referring to, not anything you enter subsequently. (b) Yes, that's what I mean re: piping it.
    – jedwards
    Nov 9 at 20:51













up vote
4
down vote

favorite









up vote
4
down vote

favorite











I would like to securely ask a password to a user and then pass it to subprocess.Popen to run a command that requires it.



I have seen this question and that one, but I wonder if I can securely pass the password via the subprocess environment like that:



import subprocess, os

user_password = input("what is you password?")

my_env = os.environ.copy()

my_env["userpass"] = user_password

my_command = "python --version"

subprocess.Popen(my_command, env=my_env)


Will the password be flushed once the python script is closed ? I have look at the subprocess documentation but it's not explained.



When I add this line print(os.environ['userpass']) at the end of my code to print the OS environment, I can retrieve the user password. Do it means that the password can be access by the other running processes ?



Edit: I can't pipe the password as the command I use doesn't read its password from standard input






python security passwords subprocess







share|improve this question















I would like to securely ask a password to a user and then pass it to subprocess.Popen to run a command that requires it.



I have seen this question and that one, but I wonder if I can securely pass the password via the subprocess environment like that:



import subprocess, os

user_password = input("what is you password?")

my_env = os.environ.copy()

my_env["userpass"] = user_password

my_command = "python --version"

subprocess.Popen(my_command, env=my_env)


Will the password be flushed once the python script is closed ? I have look at the subprocess documentation but it's not explained.



When I add this line print(os.environ['userpass']) at the end of my code to print the OS environment, I can retrieve the user password. Do it means that the password can be access by the other running processes ?



Edit: I can't pipe the password as the command I use doesn't read its password from standard input






python security passwords subprocess




python security passwords subprocess






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 10 at 18:21

























asked Nov 9 at 20:14









Enora

1,77922339




1,77922339








  • 2




    I'd pipe it into the subprocess. Trying to hide it in the environment is maybe marginally better than on the cmdline, but it's still accessible /proc/<pid>/environ (in linux at least).
    – jedwards
    Nov 9 at 20:26












  • It looks like the environment trick is just as risky on Windows too, btw (here)
    – jedwards
    Nov 9 at 20:30












  • Thanks for your help! Regarding cmdline. When you say cmdline, you mean this: I run the command directly in Windows command prompt, wait for the command to ask the password and then I type it? Is this unsafe?
    – Enora
    Nov 9 at 20:48












  • regarding pipe: do you mean doing something like this stackoverflow.com/a/41094357/3154274
    – Enora
    Nov 9 at 20:49










  • (a) no that's safe, I mean when you first type the name of your program to call it -- that's the line I was referring to, not anything you enter subsequently. (b) Yes, that's what I mean re: piping it.
    – jedwards
    Nov 9 at 20:51














  • 2




    I'd pipe it into the subprocess. Trying to hide it in the environment is maybe marginally better than on the cmdline, but it's still accessible /proc/<pid>/environ (in linux at least).
    – jedwards
    Nov 9 at 20:26












  • It looks like the environment trick is just as risky on Windows too, btw (here)
    – jedwards
    Nov 9 at 20:30












  • Thanks for your help! Regarding cmdline. When you say cmdline, you mean this: I run the command directly in Windows command prompt, wait for the command to ask the password and then I type it? Is this unsafe?
    – Enora
    Nov 9 at 20:48












  • regarding pipe: do you mean doing something like this stackoverflow.com/a/41094357/3154274
    – Enora
    Nov 9 at 20:49










  • (a) no that's safe, I mean when you first type the name of your program to call it -- that's the line I was referring to, not anything you enter subsequently. (b) Yes, that's what I mean re: piping it.
    – jedwards
    Nov 9 at 20:51








2




2




I'd pipe it into the subprocess. Trying to hide it in the environment is maybe marginally better than on the cmdline, but it's still accessible /proc/<pid>/environ (in linux at least).
– jedwards
Nov 9 at 20:26






I'd pipe it into the subprocess. Trying to hide it in the environment is maybe marginally better than on the cmdline, but it's still accessible /proc/<pid>/environ (in linux at least).
– jedwards
Nov 9 at 20:26














It looks like the environment trick is just as risky on Windows too, btw (here)
– jedwards
Nov 9 at 20:30






It looks like the environment trick is just as risky on Windows too, btw (here)
– jedwards
Nov 9 at 20:30














Thanks for your help! Regarding cmdline. When you say cmdline, you mean this: I run the command directly in Windows command prompt, wait for the command to ask the password and then I type it? Is this unsafe?
– Enora
Nov 9 at 20:48






Thanks for your help! Regarding cmdline. When you say cmdline, you mean this: I run the command directly in Windows command prompt, wait for the command to ask the password and then I type it? Is this unsafe?
– Enora
Nov 9 at 20:48














regarding pipe: do you mean doing something like this stackoverflow.com/a/41094357/3154274
– Enora
Nov 9 at 20:49




regarding pipe: do you mean doing something like this stackoverflow.com/a/41094357/3154274
– Enora
Nov 9 at 20:49












(a) no that's safe, I mean when you first type the name of your program to call it -- that's the line I was referring to, not anything you enter subsequently. (b) Yes, that's what I mean re: piping it.
– jedwards
Nov 9 at 20:51




(a) no that's safe, I mean when you first type the name of your program to call it -- that's the line I was referring to, not anything you enter subsequently. (b) Yes, that's what I mean re: piping it.
– jedwards
Nov 9 at 20:51

















active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














 

draft saved


draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53232728%2fsecurely-passing-a-password-to-subprocess-popen-via-environment%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown






























active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes
















 

draft saved


draft discarded



















































 


draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53232728%2fsecurely-passing-a-password-to-subprocess-popen-via-environment%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Florida Star v. B. J. F.

Image
Florida Star v. B. J. F. From Wikipedia, the free encyclopedia Jump to navigation Jump to search United States Supreme Court case Florida Star v. B. J. F. Supreme Court of the United States Argued March 21, 1989 Decided June 21, 1989 Full case name The Florida Star v. B. J. F. Citations 491 U.S. 524 ( more ) 109 S. Ct. 2603; 105 L. Ed. 2d 443; 1989 U.S. LEXIS 3120; 57 U.S.L.W. 4816; 16 Media L. Rep. 1801 Prior history The Florida Star v. B.J.F., 530 So.2d 286 (1988) Supreme Court of Florida; Florida Star v. B.J.F., 499 So.2d 883 (1986) Fla. Dist. Court of Appeals Holding Florida Stat. § 794.03 is unconstitutional to the extent it makes the truthful reporting of information that was a matter of public record unlawful, as it violates the First Amendment. Court membership Chief Justice William Rehnquist Associate Justices William J. Brennan Jr.  · Byron White Thurgood Marshall  · Harry Blac
Read more

Error while running script in elastic search , gateway timeout

Image
0 while running script in elastic search, I got 504 Gateway timeout error. { "query": { "bool": { "filter": { "script": { "script": " doc['creted_date'].date.getMonthOfYear() == 12 " } } } }, "aggs": { "test": { "date_histogram": { "field": "creted_date", "interval": "month", "format": "MMM" }, "aggs": { "cost": { "sum": { "field": "cost" } } }
Read more

Adding quotations to stringified JSON object values

Image
0 My stringified object data doesn't include quotation marks around object values, which errors when attempting JSON.parse() : '{ "affiliation": CORPORATE, "userId": 75c35d1c-5d12-4485-8fa8-b2f1551a3e6e }' I need the string to be: '{ "affiliation": "CORPORATE", "userId": "75c35d1c-5d12-4485-8fa8-b2f1551a3e6e" }' I'm using this regex to add quotes to the object keys: var newStr = str.replace(/(['"])?([a-z0-9A-Z_]+)(['"])?:/g, '"$2": '); For instance: '{ affiliation: CORPORATE }' to '{ "affiliation": CORPORATE }' There are only string values in my data, so I don't need to check value types. How can I alter my regex expression to add quotations to
Read more