Potential Security concern: "do shell script" in Applescript

popguru · 08-29-2003, 12:28 AM

I recently discovered something slightly disturbing by accident and cannot find any mention of it on the forums: When using the do shell script ... with administrator privileges command in applescript, the administrator password can show up using the ps command in the Terminal. To demonstrate, you can run this command from Script Editor:

Code:

do shell script "sleep 20" with administrator privileges

...and enter your password in the dialog box. Then, before the sleep command exits in 20 seconds, enter this command in the Terminal:

Code:

ps -axww | grep sleep | grep -v grep

You should see something like this:

Code:

18816  ??  S      0:00.01 sh -c echo '********' | sudo -p "" -S sleep 20
18818  ??  S      0:00.87 sleep 20

...where ******** is your password. This information is accessible by any user that can run the ps command. This is probably not a problem if the shell command you're running executes and exits almost immediately, but for any command that needs more that a few seconds to run and exit is a potential security risk. I've confirmed this issue on my Mac OS X 10.2.6 on my G4--I haven't tested it elsewhere. This seems like something that Apple should fix in the implementation of Applescript--there are other ways that they could send the user's password to the shell. I was going to send a message to Apple Tech support, but I thought I'd check here first to see if this is an issue that people already know about. Has anyone else ever noticed or heard of this before? Can anyone check to see if my example works under the Panther beta?

Thanks.

stetner · 08-29-2003, 12:37 AM

Yep, that is pretty ugly

I have found mention of it over a year ago here so it does not look like it is new, but I had never heard of it before..... (but the I don't applescript much)

popguru · 08-30-2003, 03:34 PM

Quote:


	Originally posted by stetner I have found mention of it over a year ago here so it does not look like it is new, but I had never heard of it before..... (but the I don't applescript much)

Hmm...I read through that message thread, and it looks like the discussion there is concerned with the security risks of embedding your password inside an applescript (instead of prompting for it with a dialog window) and of modifying the behavior of the sudo command so that you can run a command with admin privileges without a password. These are both relevant security concerns of using the do shell script command, but they're separate from my main concern: that the do shell script ... with administrator privileges pipes the user's password to the command line using echo, which makes the password visible using the ps command. Thanks for the reply, though.

Anyone else have thoughts on this?

greggo · 09-10-2003, 06:48 PM

You can put it in the background to avoid this issue

Code:

do shell script "sleep 20 &" with administrator privileges

Credit JB LE STANG for this solution.

popguru · 09-10-2003, 08:18 PM

Quote:


	Originally posted by greggo You can put it in the background to avoid this issue Code: do shell script "sleep 20 &" with administrator privileges Credit JB LE STANG for this solution.

Thanks, greggo (and JB LE STANG). That had occurred to me before, but I didn't expect that the applescript would receive the output of terminal command you're running, or be able to tell when (or if) the terminal command terminates. Now that I actually test it, it turns out I was wrong: it does work safely and it does wait until the terminal command terminates, and returns the output.

Using "&" to run commands in the background seems to be the best workaround at the moment.

After testing this method there is one thing I noticed that you applescripters out there should watch out for. If you're running multiple commands with do shell script, linking your commands together with ";" causes the sudo command (and your password) to be visible with ps again. So doing this:

Code:

do shell script "sleep 10 ; sleep 10 &" with administrator privileges

is bad. However, you can nest multiple commands into one shell statement, like this:

Code:

do shell script "sh -c \"sleep 10 ; sleep 10\" &" with administrator privileges

and the sudo command and password will be hidden (good).

While using the above method seems to be safe, I still think there is is a security flaw here that Apple should fix.

08-29-2003, 12:28 AM	#1
popguru Prospect Join Date: Mar 2003 Location: Brooklyn, NY Posts: 40	Potential Security concern: "do shell script" in Applescript I recently discovered something slightly disturbing by accident and cannot find any mention of it on the forums: When using the do shell script ... with administrator privileges command in applescript, the administrator password can show up using the ps command in the Terminal. To demonstrate, you can run this command from Script Editor: Code: do shell script "sleep 20" with administrator privileges ...and enter your password in the dialog box. Then, before the sleep command exits in 20 seconds, enter this command in the Terminal: Code: ps -axww \| grep sleep \| grep -v grep You should see something like this: Code: 18816 ?? S 0:00.01 sh -c echo '******' \| sudo -p "" -S sleep 20 18818 ?? S 0:00.87 sleep 20 ...where **** is your password. This information is accessible by any user that can run the ps command. This is probably not a problem if the shell command you're running executes and exits almost immediately, but for any command that needs more that a few seconds to run and exit is a potential security risk. I've confirmed this issue on my Mac OS X 10.2.6 on my G4--I haven't tested it elsewhere. This seems like something that Apple should fix in the implementation of Applescript--there are other ways that they could send the user's password to the shell. I was going to send a message to Apple Tech support, but I thought I'd check here first to see if this is an issue that people already know about. Has anyone else ever noticed or heard of this before? Can anyone check to see if my example works under the Panther beta? Thanks. __________________ . . .**

08-29-2003, 12:37 AM	#2
stetner MVP Join Date: Jan 2002 Location: Brisbane, Australia Posts: 1,108	Yep, that is pretty ugly I have found mention of it over a year ago here so it does not look like it is new, but I had never heard of it before..... (but the I don't applescript much) __________________ Douglas G. Stetner UNIX Live Free Or Die Last edited by stetner; 08-29-2003 at 12:48 AM.

09-10-2003, 06:48 PM	#4
greggo Prospect Join Date: Jul 2002 Posts: 14	You can put it in the background to avoid this issue Code: do shell script "sleep 20 &" with administrator privileges Credit JB LE STANG for this solution.