Bernardo Reino <reinob@bbmk.org> wrote:
On Wed, 16 Jun 2021, Kevin N. wrote:
Thanks. Reading the manual was the first thing I did before posting to the list.
I'm not sure if this is relevant for the question, but I forgot to mention that the user enters it's password through a 'dialog --passwordbox'.
I guess my question is: it possible to pipe that into 'doveadm pw' directly from memory, without using any kind of on-disk temp file?
$ dialog --passwordbox .. | sed p | doveadm pw
with "sed p" you print explicitly (p) and implicitly (default in sed) the input lines (i.e. whatever dialog returns), so doveadm gets the same line twice, as required.
Cheers.
Thanks Bernardo. The "sed p" seems to do the trick.
I do have to do some validation before I pass the password to "doveadm pw", so my code looks something like:
input_password=$(dialog --passwordbox ...) #... some validation here ...
hashed_password=$(echo "${input_password}" | sed p | doveadm pw -s SHA512-CRYPT)
In this case will the password still be safe and hidden from a "ps" for example?
I am still new to all this and I wouldn't want to end up with a false sense of security regarding this password passing :)
Doing an 'strace' on the script does show up the password in some reads, in the form of: read(3, "password_here", ....), but not in execve(...) as parameter.
Cheers.