Password displayed in process list

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Mount your Google Docs account
2. $ ps aux | grep gFile
3. See password in the clear!

What is the expected output? What do you see instead?
Password should not be displayed in such an easily accessible way.

What version of the product are you using? On what operating system?
1.0beta, Fedora 10

Please provide any additional information below.

Could this be mitigated by having gFile.py prompt for the password instead
of it being passed as a command-line argument? Alternatively, it could be
passed through a pipe, or stored in a config file. Not very familiar with
the gdata library, but could be use an API key or something of the sort? OAuth?

My goal is to be comfortable setting this to automount assuming I have
reasonable security on my system. (Though, one could make the case that
"reasonable security" would keep someone from listing the running processes)

I'm in the midst of final exams right now, but I'll try to take a crack at
it next week and see if I can put together a patch to make it more secure.
Is there any particular reason password-as-a-parameter needs to stay?

Lovin' it already! Great work!

Original issue reported on code.google.com by michael....@gmail.com on 26 Apr 2009 at 4:06

[GoogleCodeExporter]

Thanks! I never even thought to check this! I'll take the .tar.gz off the 
featured
downloads and put a notice up ASAP. It shouldn't be too hard to fix, but you're
right, it's a massive security risk.
I'll issue a fix as soon as a get home from university this evening.

Original comment by d38dm8nw81k1ng@gmail.com on 27 Apr 2009 at 1:26

• Added labels: Priority-Critical, Security
• Removed labels: Priority-Medium

[GoogleCodeExporter]

I've just issued a fix and put beta2 up for download. I've checked it and it
shouldn't display the password on ps aux any more. If you want to, could you 
double
check to make sure I've not missed anything and I'll then list this as 
verified. I've
listed it as fixed for now.
On a side note, this isn't my "ideal" situation. I've been toying with the idea 
of
adding a GUI for GNOME (and possibly KDE, though since I use Ubuntu, it's not a
priority for me). The eventual goal would be to use the GNOME Keyring to store 
the
password, so the scripts will need to be altered so that they support this.
But that's at least 2-3 months away (when I finish my exams in June), so I'm 
just
focusing on getting things working smoothly and relatively bug-free.
Thanks for bringing this to my attention and good luck with your exams =D

Original comment by d38dm8nw81k1ng@gmail.com on 27 Apr 2009 at 5:19

• Changed state: Fixed

[GoogleCodeExporter]

Original comment by d38dm8nw81k1ng@gmail.com on 6 Jun 2009 at 12:41

• Changed state: Verified