securely passing a password to subprocess.Popen via environment

up vote
4
down vote

favorite

I would like to securely ask a password to a user and then pass it to subprocess.Popen to run a command that requires it.

I have seen this question and that one, but I wonder if I can securely pass the password via the subprocess environment like that:

import subprocess, os
user_password = input("what is you password?")
my_env = os.environ.copy()
my_env["userpass"] = user_password
my_command = "python --version"
subprocess.Popen(my_command, env=my_env)

Will the password be flushed once the python script is closed ? I have look at the subprocess documentation but it's not explained.

When I add this line print(os.environ['userpass']) at the end of my code to print the OS environment, I can retrieve the user password. Do it means that the password can be access by the other running processes ?

Edit: I can't pipe the password as the command I use doesn't read its password from standard input

edited Nov 10 at 18:21

asked Nov 9 at 20:14

Enora

1,78422339

2

I'd pipe it into the subprocess. Trying to hide it in the environment is maybe marginally better than on the cmdline, but it's still accessible /proc/<pid>/environ (in linux at least).
– jedwards
Nov 9 at 20:26

It looks like the environment trick is just as risky on Windows too, btw (here)
– jedwards
Nov 9 at 20:30

Thanks for your help! Regarding cmdline. When you say cmdline, you mean this: I run the command directly in Windows command prompt, wait for the command to ask the password and then I type it? Is this unsafe?
– Enora
Nov 9 at 20:48

regarding pipe: do you mean doing something like this stackoverflow.com/a/41094357/3154274
– Enora
Nov 9 at 20:49

(a) no that's safe, I mean when you first type the name of your program to call it -- that's the line I was referring to, not anything you enter subsequently. (b) Yes, that's what I mean re: piping it.
– jedwards
Nov 9 at 20:51

|
show 4 more comments

up vote
4
down vote

favorite

I would like to securely ask a password to a user and then pass it to subprocess.Popen to run a command that requires it.

I have seen this question and that one, but I wonder if I can securely pass the password via the subprocess environment like that:

import subprocess, os
user_password = input("what is you password?")
my_env = os.environ.copy()
my_env["userpass"] = user_password
my_command = "python --version"
subprocess.Popen(my_command, env=my_env)

Will the password be flushed once the python script is closed ? I have look at the subprocess documentation but it's not explained.

Edit: I can't pipe the password as the command I use doesn't read its password from standard input

edited Nov 10 at 18:21

asked Nov 9 at 20:14

Enora

1,78422339

2

I'd pipe it into the subprocess. Trying to hide it in the environment is maybe marginally better than on the cmdline, but it's still accessible /proc/<pid>/environ (in linux at least).
– jedwards
Nov 9 at 20:26

It looks like the environment trick is just as risky on Windows too, btw (here)
– jedwards
Nov 9 at 20:30

Thanks for your help! Regarding cmdline. When you say cmdline, you mean this: I run the command directly in Windows command prompt, wait for the command to ask the password and then I type it? Is this unsafe?
– Enora
Nov 9 at 20:48

regarding pipe: do you mean doing something like this stackoverflow.com/a/41094357/3154274
– Enora
Nov 9 at 20:49

(a) no that's safe, I mean when you first type the name of your program to call it -- that's the line I was referring to, not anything you enter subsequently. (b) Yes, that's what I mean re: piping it.
– jedwards
Nov 9 at 20:51

|
show 4 more comments

up vote
4
down vote

favorite

I would like to securely ask a password to a user and then pass it to subprocess.Popen to run a command that requires it.

I have seen this question and that one, but I wonder if I can securely pass the password via the subprocess environment like that:

import subprocess, os
user_password = input("what is you password?")
my_env = os.environ.copy()
my_env["userpass"] = user_password
my_command = "python --version"
subprocess.Popen(my_command, env=my_env)

Will the password be flushed once the python script is closed ? I have look at the subprocess documentation but it's not explained.

Edit: I can't pipe the password as the command I use doesn't read its password from standard input

edited Nov 10 at 18:21

asked Nov 9 at 20:14

Enora

1,78422339

I would like to securely ask a password to a user and then pass it to subprocess.Popen to run a command that requires it.

I have seen this question and that one, but I wonder if I can securely pass the password via the subprocess environment like that:

import subprocess, os
user_password = input("what is you password?")
my_env = os.environ.copy()
my_env["userpass"] = user_password
my_command = "python --version"
subprocess.Popen(my_command, env=my_env)

Will the password be flushed once the python script is closed ? I have look at the subprocess documentation but it's not explained.

Edit: I can't pipe the password as the command I use doesn't read its password from standard input

python security passwords subprocess

edited Nov 10 at 18:21

asked Nov 9 at 20:14

Enora

1,78422339

edited Nov 10 at 18:21

asked Nov 9 at 20:14

Enora

1,78422339

edited Nov 10 at 18:21

asked Nov 9 at 20:14

Enora

1,78422339

asked Nov 9 at 20:14

Enora

1,78422339

asked Nov 9 at 20:14

Enora

1,78422339

2

I'd pipe it into the subprocess. Trying to hide it in the environment is maybe marginally better than on the cmdline, but it's still accessible /proc/<pid>/environ (in linux at least).
– jedwards
Nov 9 at 20:26

It looks like the environment trick is just as risky on Windows too, btw (here)
– jedwards
Nov 9 at 20:30

Thanks for your help! Regarding cmdline. When you say cmdline, you mean this: I run the command directly in Windows command prompt, wait for the command to ask the password and then I type it? Is this unsafe?
– Enora
Nov 9 at 20:48

regarding pipe: do you mean doing something like this stackoverflow.com/a/41094357/3154274
– Enora
Nov 9 at 20:49

(a) no that's safe, I mean when you first type the name of your program to call it -- that's the line I was referring to, not anything you enter subsequently. (b) Yes, that's what I mean re: piping it.
– jedwards
Nov 9 at 20:51

|
show 4 more comments

2

I'd pipe it into the subprocess. Trying to hide it in the environment is maybe marginally better than on the cmdline, but it's still accessible /proc/<pid>/environ (in linux at least).
– jedwards
Nov 9 at 20:26

It looks like the environment trick is just as risky on Windows too, btw (here)
– jedwards
Nov 9 at 20:30

Thanks for your help! Regarding cmdline. When you say cmdline, you mean this: I run the command directly in Windows command prompt, wait for the command to ask the password and then I type it? Is this unsafe?
– Enora
Nov 9 at 20:48

regarding pipe: do you mean doing something like this stackoverflow.com/a/41094357/3154274
– Enora
Nov 9 at 20:49

(a) no that's safe, I mean when you first type the name of your program to call it -- that's the line I was referring to, not anything you enter subsequently. (b) Yes, that's what I mean re: piping it.
– jedwards
Nov 9 at 20:51

I'd pipe it into the subprocess. Trying to hide it in the environment is maybe marginally better than on the cmdline, but it's still accessible /proc/<pid>/environ (in linux at least).
– jedwards
Nov 9 at 20:26

It looks like the environment trick is just as risky on Windows too, btw (here)
– jedwards
Nov 9 at 20:30

Thanks for your help! Regarding cmdline. When you say cmdline, you mean this: I run the command directly in Windows command prompt, wait for the command to ask the password and then I type it? Is this unsafe?
– Enora
Nov 9 at 20:48

regarding pipe: do you mean doing something like this stackoverflow.com/a/41094357/3154274
– Enora
Nov 9 at 20:49

(a) no that's safe, I mean when you first type the name of your program to call it -- that's the line I was referring to, not anything you enter subsequently. (b) Yes, that's what I mean re: piping it.
– jedwards
Nov 9 at 20:51

|
show 4 more comments

active

oldest

votes

Your Answer

StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);

);

draft saved

draft discarded

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53232728%2fsecurely-passing-a-password-to-subprocess-popen-via-environment%23new-answer', 'question_page');

);

Post as a guest

Name

Required, but never shown

active

oldest

votes

draft saved

draft discarded

draft saved

draft discarded

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Pfthb