Retrieve Password from a File or Prompt

Alex Peshkov

New -fetch_password Switch

Any command-line utility that takes a -password parameter is vulnerable to password sniffing, especially when the utility is run from a script. Since v.2.1, the [PASSWORD] argument has displayed in the process list on POSIX platforms as an asterisk ( * ), which was an improvement on showing it in clear.

As a second stage towards hiding the password from unauthorised eyes, this release enables it to be retrieved from a file or (on POSIX) from STDIN.

New -fetch_password Switch

Firebird 2.5 introduces the new switch -fet[ch_password] as an optional replacement for -pa[ssword] for all command-line utilities that take a password for authentication purposes. The switch may be progressively abbreviated from the right, conforming to the established rules.

PLEASE NOTE

The exception to the rules is the qli utility, for which only -F is valid.
The new switch cannot be applied to substitute for the -pw switch of the gsec utility.

Usage of -fetch_password

The switch requires one parameter, an unquoted string that is the file path for the file containing the password. If the call is not made by a system user with Superuser/Administrator privileges, the location must be accessible by the system user making the call.

For example,

  isql -user sysdba -fet passfile server:employee

extracts the first line of from a file named “passfile” in the current working directory and loads it into the [PASSWORD] argument of the call.

The filename can be specified as stdin:

  isql -user sysdba -fet stdin server:employee

If stdin is the terminal, a prompt is presented—

  Enter password:

—requiring the operator to type in the password.

Tip

On POSIX, the operator will also be prompted if s/he specifies

    -fetch /dev/tty

This technique could be useful if, for example, you needed to restore from stdin (all one line):

  bunzip2 -c emp.fbk.bz2 | gbak -c stdin /db/new.fdb
     -user sysdba -fetch /dev/tty