securely passing a password to subprocess.Popen via environment











up vote
4
down vote

favorite












I would like to securely ask a password to a user and then pass it to subprocess.Popen to run a command that requires it.



I have seen this question and that one, but I wonder if I can securely pass the password via the subprocess environment like that:



import subprocess, os
user_password = input("what is you password?")
my_env = os.environ.copy()
my_env["userpass"] = user_password
my_command = "python --version"
subprocess.Popen(my_command, env=my_env)


Will the password be flushed once the python script is closed ? I have look at the subprocess documentation but it's not explained.



When I add this line print(os.environ['userpass']) at the end of my code to print the OS environment, I can retrieve the user password. Do it means that the password can be access by the other running processes ?



Edit: I can't pipe the password as the command I use doesn't read its password from standard input










share|improve this question




















  • 2




    I'd pipe it into the subprocess. Trying to hide it in the environment is maybe marginally better than on the cmdline, but it's still accessible /proc/<pid>/environ (in linux at least).
    – jedwards
    Nov 9 at 20:26












  • It looks like the environment trick is just as risky on Windows too, btw (here)
    – jedwards
    Nov 9 at 20:30












  • Thanks for your help! Regarding cmdline. When you say cmdline, you mean this: I run the command directly in Windows command prompt, wait for the command to ask the password and then I type it? Is this unsafe?
    – Enora
    Nov 9 at 20:48












  • regarding pipe: do you mean doing something like this stackoverflow.com/a/41094357/3154274
    – Enora
    Nov 9 at 20:49










  • (a) no that's safe, I mean when you first type the name of your program to call it -- that's the line I was referring to, not anything you enter subsequently. (b) Yes, that's what I mean re: piping it.
    – jedwards
    Nov 9 at 20:51















up vote
4
down vote

favorite












I would like to securely ask a password to a user and then pass it to subprocess.Popen to run a command that requires it.



I have seen this question and that one, but I wonder if I can securely pass the password via the subprocess environment like that:



import subprocess, os
user_password = input("what is you password?")
my_env = os.environ.copy()
my_env["userpass"] = user_password
my_command = "python --version"
subprocess.Popen(my_command, env=my_env)


Will the password be flushed once the python script is closed ? I have look at the subprocess documentation but it's not explained.



When I add this line print(os.environ['userpass']) at the end of my code to print the OS environment, I can retrieve the user password. Do it means that the password can be access by the other running processes ?



Edit: I can't pipe the password as the command I use doesn't read its password from standard input










share|improve this question




















  • 2




    I'd pipe it into the subprocess. Trying to hide it in the environment is maybe marginally better than on the cmdline, but it's still accessible /proc/<pid>/environ (in linux at least).
    – jedwards
    Nov 9 at 20:26












  • It looks like the environment trick is just as risky on Windows too, btw (here)
    – jedwards
    Nov 9 at 20:30












  • Thanks for your help! Regarding cmdline. When you say cmdline, you mean this: I run the command directly in Windows command prompt, wait for the command to ask the password and then I type it? Is this unsafe?
    – Enora
    Nov 9 at 20:48












  • regarding pipe: do you mean doing something like this stackoverflow.com/a/41094357/3154274
    – Enora
    Nov 9 at 20:49










  • (a) no that's safe, I mean when you first type the name of your program to call it -- that's the line I was referring to, not anything you enter subsequently. (b) Yes, that's what I mean re: piping it.
    – jedwards
    Nov 9 at 20:51













up vote
4
down vote

favorite









up vote
4
down vote

favorite











I would like to securely ask a password to a user and then pass it to subprocess.Popen to run a command that requires it.



I have seen this question and that one, but I wonder if I can securely pass the password via the subprocess environment like that:



import subprocess, os
user_password = input("what is you password?")
my_env = os.environ.copy()
my_env["userpass"] = user_password
my_command = "python --version"
subprocess.Popen(my_command, env=my_env)


Will the password be flushed once the python script is closed ? I have look at the subprocess documentation but it's not explained.



When I add this line print(os.environ['userpass']) at the end of my code to print the OS environment, I can retrieve the user password. Do it means that the password can be access by the other running processes ?



Edit: I can't pipe the password as the command I use doesn't read its password from standard input










share|improve this question















I would like to securely ask a password to a user and then pass it to subprocess.Popen to run a command that requires it.



I have seen this question and that one, but I wonder if I can securely pass the password via the subprocess environment like that:



import subprocess, os
user_password = input("what is you password?")
my_env = os.environ.copy()
my_env["userpass"] = user_password
my_command = "python --version"
subprocess.Popen(my_command, env=my_env)


Will the password be flushed once the python script is closed ? I have look at the subprocess documentation but it's not explained.



When I add this line print(os.environ['userpass']) at the end of my code to print the OS environment, I can retrieve the user password. Do it means that the password can be access by the other running processes ?



Edit: I can't pipe the password as the command I use doesn't read its password from standard input







python security passwords subprocess






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 10 at 18:21

























asked Nov 9 at 20:14









Enora

1,77922339




1,77922339








  • 2




    I'd pipe it into the subprocess. Trying to hide it in the environment is maybe marginally better than on the cmdline, but it's still accessible /proc/<pid>/environ (in linux at least).
    – jedwards
    Nov 9 at 20:26












  • It looks like the environment trick is just as risky on Windows too, btw (here)
    – jedwards
    Nov 9 at 20:30












  • Thanks for your help! Regarding cmdline. When you say cmdline, you mean this: I run the command directly in Windows command prompt, wait for the command to ask the password and then I type it? Is this unsafe?
    – Enora
    Nov 9 at 20:48












  • regarding pipe: do you mean doing something like this stackoverflow.com/a/41094357/3154274
    – Enora
    Nov 9 at 20:49










  • (a) no that's safe, I mean when you first type the name of your program to call it -- that's the line I was referring to, not anything you enter subsequently. (b) Yes, that's what I mean re: piping it.
    – jedwards
    Nov 9 at 20:51














  • 2




    I'd pipe it into the subprocess. Trying to hide it in the environment is maybe marginally better than on the cmdline, but it's still accessible /proc/<pid>/environ (in linux at least).
    – jedwards
    Nov 9 at 20:26












  • It looks like the environment trick is just as risky on Windows too, btw (here)
    – jedwards
    Nov 9 at 20:30












  • Thanks for your help! Regarding cmdline. When you say cmdline, you mean this: I run the command directly in Windows command prompt, wait for the command to ask the password and then I type it? Is this unsafe?
    – Enora
    Nov 9 at 20:48












  • regarding pipe: do you mean doing something like this stackoverflow.com/a/41094357/3154274
    – Enora
    Nov 9 at 20:49










  • (a) no that's safe, I mean when you first type the name of your program to call it -- that's the line I was referring to, not anything you enter subsequently. (b) Yes, that's what I mean re: piping it.
    – jedwards
    Nov 9 at 20:51








2




2




I'd pipe it into the subprocess. Trying to hide it in the environment is maybe marginally better than on the cmdline, but it's still accessible /proc/<pid>/environ (in linux at least).
– jedwards
Nov 9 at 20:26






I'd pipe it into the subprocess. Trying to hide it in the environment is maybe marginally better than on the cmdline, but it's still accessible /proc/<pid>/environ (in linux at least).
– jedwards
Nov 9 at 20:26














It looks like the environment trick is just as risky on Windows too, btw (here)
– jedwards
Nov 9 at 20:30






It looks like the environment trick is just as risky on Windows too, btw (here)
– jedwards
Nov 9 at 20:30














Thanks for your help! Regarding cmdline. When you say cmdline, you mean this: I run the command directly in Windows command prompt, wait for the command to ask the password and then I type it? Is this unsafe?
– Enora
Nov 9 at 20:48






Thanks for your help! Regarding cmdline. When you say cmdline, you mean this: I run the command directly in Windows command prompt, wait for the command to ask the password and then I type it? Is this unsafe?
– Enora
Nov 9 at 20:48














regarding pipe: do you mean doing something like this stackoverflow.com/a/41094357/3154274
– Enora
Nov 9 at 20:49




regarding pipe: do you mean doing something like this stackoverflow.com/a/41094357/3154274
– Enora
Nov 9 at 20:49












(a) no that's safe, I mean when you first type the name of your program to call it -- that's the line I was referring to, not anything you enter subsequently. (b) Yes, that's what I mean re: piping it.
– jedwards
Nov 9 at 20:51




(a) no that's safe, I mean when you first type the name of your program to call it -- that's the line I was referring to, not anything you enter subsequently. (b) Yes, that's what I mean re: piping it.
– jedwards
Nov 9 at 20:51

















active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














 

draft saved


draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53232728%2fsecurely-passing-a-password-to-subprocess-popen-via-environment%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown






























active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes
















 

draft saved


draft discarded



















































 


draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53232728%2fsecurely-passing-a-password-to-subprocess-popen-via-environment%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Full-time equivalent

さくらももこ

13 indicted, 8 arrested in Calif. drug cartel investigation