Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password shown in plain text #58

Open
ngschaider opened this issue Sep 16, 2020 · 5 comments
Open

Password shown in plain text #58

ngschaider opened this issue Sep 16, 2020 · 5 comments
Labels
enhancement security Security related issues

Comments

@ngschaider
Copy link

ngschaider commented Sep 16, 2020
edited
Loading

Currently the password is specified in plain text when invoking mcrcon.
Example:
./mcrcon -H localhost -P 25575 -p MY_PASSWORD

This obviously allows anyone to see the password on the screen while typing it in and also saves the password to ~/.bash_history.
A solution to this is to allow entering the password via a prompt when -p is not specified.

Pull Request #50 implements this kind of prompt (haven't tested it yet, but looks very promising)
@Tiiffi
Copy link
Owner

Tiiffi commented Feb 8, 2021

This is a good idea. It has been on TODO list for a long time.

I have to do some testing and see what library dependencies it introduces (trying to keep it minimal).

@Tiiffi Tiiffi added the security Security related issues label Mar 2, 2021
@jnovack
Copy link

jnovack commented Jun 4, 2021
edited
Loading

Prompting definitely rules out the "server maintenance scripts" portion of the raison-d'etre.

Preferred methods for automation would be passing a filename (where the password is in the file) as a variable (e.g Docker Secrets method), or as an environment variable.

~/.bash_history is user file in a user directory, if you have other users looking at your .bash_history, you have additional issues, and I do not believe to be a concern of a user-space application. I believe you meant to say that adding a value on the command line exposes it via ps -aux (or ps -ef, your choice), which is a valid concern.

@clemisch
Copy link

clemisch commented Nov 4, 2023

Can't you just use this?

./mcrcon -H localhost -P 25575 -p $(cat /path/to/pw/file)

@Thom1729
Copy link

Thom1729 commented Nov 6, 2023

For what it's worth, the password and port are both stored in plaintext in the server.properties file. So if a script has read access to that file, then in principle it can grab those values from that file rather than hard-coding them.

It might be a useful feature for mcrcon to take an arg pointing to a server.properties file and reading the port and password from there. This would require parsing the file, but that's not too complicated.

@alext
Copy link

alext commented Feb 28, 2024

The server.properties file is pretty easy to parse with awk, so you could do something like:

./mcrcon -H localhost -p "$(awk -F '=' '$1 == "rcon.password" { print $2; exit }' /path/to/server.properties)"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement security Security related issues
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@alext @jnovack @Tiiffi @clemisch @ngschaider @Thom1729