summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Hesse <mail@eworm.de>2016-02-29 21:04:02 +0100
committerChristian Hesse <mail@eworm.de>2016-03-01 19:02:11 +0100
commita5a4e3658ddc0c9692057ce5288fa1bb6f53bacc (patch)
treeffd0eeaac43d8d383dc5ca509f838a9931a97ba8
parent114761866a5e9376277daf847663d23361ffe0c0 (diff)
ask-password: add option --no-output to not print password to stdout
systemd-ask-password can store passwords in kernel keyring. However it uses to print the passwords to standard output nevertheless. Depending on where systemd-ask-password is called passwords may end on display or in log, leaking sensitive information. This allows to make systemd-ask-password quiet, effectively disabling printing passwords to standard output.
-rw-r--r--man/systemd-ask-password.xml9
-rw-r--r--src/ask-password/ask-password.c11
2 files changed, 19 insertions, 1 deletions
diff --git a/man/systemd-ask-password.xml b/man/systemd-ask-password.xml
index 2a4d24349b..e84a15c554 100644
--- a/man/systemd-ask-password.xml
+++ b/man/systemd-ask-password.xml
@@ -192,6 +192,15 @@
This will output one password per line.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--no-output</option></term>
+
+ <listitem><para>Do not print passwords to standard output.
+ This is useful if you want to store a password in kernel
+ keyring with <option>--keyname</option> but do not want it
+ to show up on screen or in logs.</para></listitem>
+ </varlistentry>
+
<xi:include href="standard-options.xml" xpointer="help" />
</variablelist>
diff --git a/src/ask-password/ask-password.c b/src/ask-password/ask-password.c
index adc9286612..6d53dd982c 100644
--- a/src/ask-password/ask-password.c
+++ b/src/ask-password/ask-password.c
@@ -34,6 +34,7 @@ static const char *arg_keyname = NULL;
static char *arg_message = NULL;
static usec_t arg_timeout = DEFAULT_TIMEOUT_USEC;
static bool arg_multiple = false;
+static bool arg_no_output = false;
static AskPasswordFlags arg_flags = ASK_PASSWORD_PUSH_CACHE;
static void help(void) {
@@ -48,6 +49,7 @@ static void help(void) {
" --no-tty Ask question via agent even on TTY\n"
" --accept-cached Accept cached passwords\n"
" --multiple List multiple passwords if available\n"
+ " --no-output Do not print password to standard output\n"
, program_invocation_short_name);
}
@@ -62,6 +64,7 @@ static int parse_argv(int argc, char *argv[]) {
ARG_MULTIPLE,
ARG_ID,
ARG_KEYNAME,
+ ARG_NO_OUTPUT,
};
static const struct option options[] = {
@@ -74,6 +77,7 @@ static int parse_argv(int argc, char *argv[]) {
{ "multiple", no_argument, NULL, ARG_MULTIPLE },
{ "id", required_argument, NULL, ARG_ID },
{ "keyname", required_argument, NULL, ARG_KEYNAME },
+ { "no-output", no_argument, NULL, ARG_NO_OUTPUT },
{}
};
@@ -125,6 +129,10 @@ static int parse_argv(int argc, char *argv[]) {
arg_keyname = optarg;
break;
+ case ARG_NO_OUTPUT:
+ arg_no_output = true;
+ break;
+
case '?':
return -EINVAL;
@@ -166,7 +174,8 @@ int main(int argc, char *argv[]) {
}
STRV_FOREACH(p, l) {
- puts(*p);
+ if (!arg_no_output)
+ puts(*p);
if (!arg_multiple)
break;