Kinook Software Forum

Go Back   Kinook Software Forum > Visual Build Professional > [VBP] Third Party Tools
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Rate Thread Display Modes
  #1  
Old 08-28-2003, 02:15 AM
gribble gribble is online now
Registered User
 
Join Date: 06-04-2003
Posts: 21
Perforce Passwords displayed as clear text

When showing the "commandline constructed for call" of perforce action steps...

it would be a good idea to mask out the password with asterisks, as otherwise the log files and/or screen output can easily reveal the sensitive perforce password information!

eg the output shows:

p4 -cGRIBBLE_WAGON_MAIN -pperforce:1666 -uryan.gribble -Ppassword change -i


I am using temporary macros to store the password, and i accept that whilst the script is running, someone could look in the macros list and see the password... but once ive shut down VBPro someone could still look in the logfile. (yes i know the logfile could be deleted, but we want to keep them on hand, and infact email it to a list of people, who shouldnt all have access to the masterbuild password for perforce!).
Reply With Quote
  #2  
Old 08-28-2003, 04:29 PM
kinook kinook is online now
Administrator
 
Join Date: 03-06-2001
Location: Colorado
Posts: 6,034
A couple of options:

1) Don't write the P4 command-line to the log (uncheck the 'show command-line' option).

2) Store the password in the P4PASSWD environment variable at the start of the build, and remove the password from the Perforce steps (sample attached).
Attached Files
File Type: bld p4passwd.bld (598 Bytes, 1978 views)
Reply With Quote
  #3  
Old 08-28-2003, 06:16 PM
gribble gribble is online now
Registered User
 
Join Date: 06-04-2003
Posts: 21
Thanks for the response...

Yes i realise i could avoid it by not showing the command in the logs, but we are finding it useful to log the exact command created incase we do have an error we know what command was ruyn. Now the build script is polished and working fine though, perhaps i dont need to output it anymore.


As foir setting the environment variable P4PASSWD... i cant see how this is very secure either, as opening the .bld file in notepad will reveal it's value:
<step action='Set Macro' type='0'>
<MacroEnvVar type='11'>-1</MacroEnvVar>
<MacroName>P4PASSWD</MacroName>
<MacroValue>pass</MacroValue>
<description>Store the Perforce password in the P4PASSWD macro/environment variable</description>
<name>create env var</name>
</step>


What i am doing is using a custom user action ive written in c#.NET to get the required perforce settings (as well as other build options) and then store them as temporary macros. The advantage of this is that the tempoirary macro isnt stored in the .bld file, so once the script is run and VBPro closes, the perforce password and other details are no longer visible anywhere.


I suppose i was just saying maybe in a future version, if the option "output command" is ticked, the password (if provided) could be masked out for security
Reply With Quote
  #4  
Old 08-28-2003, 07:22 PM
kinook kinook is online now
Administrator
 
Join Date: 03-06-2001
Location: Colorado
Posts: 6,034
You can still retrieve the password into a temporary variable using your C# component, just replace 'pass' in the sample with %NAME_OF_TEMP_MACRO_HOLDING_PASSWORD%. As for obscuring the password when logging, that's not so simple since the logging component(s) don't have any intrinsic knowledge of where passwords might exist in the text they are logging.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT -5. The time now is 07:22 PM.


Copyright © 1999-2023 Kinook Software, Inc.