149031 – net-fs/curlftpfs "ps -ef" reveals username and password of mounted ftpfs

Bug 149031 - net-fs/curlftpfs "ps -ef" reveals username and password of mounted ftpfs

Summary: net-fs/curlftpfs "ps -ef" reveals username and password of mounted ftpfs

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Other

Importance:	High major (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2006-09-25 02:59 UTC by Bjoern Olausson
Modified:	2006-10-03 11:54 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bjoern Olausson 2006-09-25 02:59:30 UTC

As reported to upstream:

http://sourceforge.net/tracker/index.php?func=detail&aid=1564953&group_id=160565&atid=816357

"ps -ef" reveals username and password 	Private: (?) 
No 
When mounting a ftp dir with curlFtpFS via fstab or 
via commandline a "ps -ef" reveals full usernamen and 
password.

fstab example:
curlftpfs#user:somepass@ftp.server.xyz /mnt/ftp fuse 
defaults,allow_other 0 0

ps -ef shows the following:
root 11531 1 0 Sep22 ? 00:00:00 
curlftpfs user:somepass@ftp.server.xyz /mnt/ftp -o 
rw,allow_other

Even as unprivileged user you can see this process.

at least the password should be masked.

observed with:
curlftpfs 0.8 libcurl/7.15.4 fuse/2.5

But I guess other version have the same problem.

regards
spamsuxx

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-09-26 13:08:13 UTC

net-fs please advise.

Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev

2006-10-03 11:54:17 UTC

upstream has closed the bug as WONTFIX
their advise is to use a .netrc file containing the username/password

I'm therefore also closing this as WONTFIX on our side. Please reopen, if anyone disagrees.