Opened 11 years ago
Last modified 8 months ago
#21392 new New feature
changepassword option to read from stdin
| Reported by: | Paris Kasidiaris | Owned by: | |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Ülgen Sarıkavak | Triage Stage: | Accepted |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
It would be really handy to give the user the ability to change user password by supplying it using the stdin.
Advantages
- GUIs can build on top of this feature. Right now an IDE for Python/Django, for example, cannot give the user the ability to add users to his/hers Django project with a GUI, without hacking into the Django core itself.
- Automation tools can build on top of this feature
I suppose that the reason this feature is not implemented yet is that it is considered a security risk. The fact is that this practice cad be found in several software of the UNIX/Linux core.
- Some versions of passwd can read new password from stdin (http://linux.die.net/man/1/passwd)
- chpasswd gets its input from stdin
- useradd can even get the encrypted passwords from the command line (this could be considered even more risky since you can see the given password in the process history)
I think since this practice already exists in most (if not in all) UNIX/Linux systems, it's not a security breach to be added to Django as well.
I will start working on this patch myself.
Change History (14)
comment:1 by , 11 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 11 years ago
| Resolution: | → duplicate |
|---|---|
| Status: | assigned → closed |
comment:3 by , 11 years ago
Sorry but this is not a duplicate. I am proposing reading the password from the standard input. Not as a second parameter. The security risks listed at #18897 are not valid for my ticket.
If something can be put on the command line, someone is going to try and use the argument in a script.
No password is put in the command line
If you type the password at the command line, it will be preserved in command history, which means anyone who can get access to your login can find out your password, too.
No password is typed in the command line
Could you please reconsider opening my ticket?
comment:4 by , 11 years ago
| Resolution: | duplicate |
|---|---|
| Status: | closed → new |
I don't know if it's a good idea but indeed it wasn't discussed in the other ticket.
comment:5 by , 11 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
I'm going to move this to Accepted, which may trigger the wrath of the security overlords...
comment:6 by , 11 years ago
I don't believe this is a security concern at all. The option is to enable reading *from* stdin, not a --this-is-my-new-password-bro switch. Seems reasonable.
comment:7 by , 11 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:8 by , 11 years ago
| Has patch: | set |
|---|---|
| Triage Stage: | Accepted → Ready for checkin |
comment:9 by , 11 years ago
| Triage Stage: | Ready for checkin → Accepted |
|---|
The "ready for checkin" flag is for when someone else has reviewed your patch and deemed it ready.
comment:10 by , 10 years ago
| Has patch: | unset |
|---|
The ticket has "Has patch" set, but I don't see a patch or a link to a pull request?
comment:11 by , 9 years ago
What does it mean "read password from stdin" if it is not already possible (the command asks you for a password at least from django 1.2) and if it doesn't mean to put it into a command line (--password my-new-pass)?
comment:12 by , 6 years ago
Implemented in reusable third party CLI : https://yourlabs.io/oss/djcli
comment:13 by , 6 years ago
| Owner: | removed |
|---|---|
| Status: | assigned → new |
comment:14 by , 8 months ago
| Cc: | added |
|---|
This was already wontfixed in #18897. I suggest you start a thread on the django-developers mailing list to make your case. Reopen then if you get core dev support.