[p4] Perforce passwords

Melissa Kacher mkacher at msn.com
Wed Nov 15 19:47:58 PST 2006


Use perforce security level 3, and the password will not be logged.


-----Original Message-----
From: perforce-user-bounces at perforce.com
[mailto:perforce-user-bounces at perforce.com] On Behalf Of David Alban
Sent: Wednesday, November 15, 2006 2:53 PM
To: perforce-user at perforce.com
Subject: [p4] Perforce passwords


Greetings,

As soon as I realized that user foo could log into perforce as user bar and
vice versa, of course I wanted perforce passwords to be used. Especially for
any perforce user who has super rights.

As soon as I set a password for user perforce, I could no longer execute p4
commands from the command line without getting the complaint:

    Perforce password (P4PASSWD) invalid or unset.

I figured out that user perforce could indeed execute command lines if its
password was in the environment.

Yet I didn't want to execute this on the command line:

  export P4PASSWD=somepasswd

because I didn't want the password to show up in my .bash_history file. So
now when I want to run a command from the command line, I put the following
in a file:

  export P4PASSWD=somepasswd
  p4 some command ...

I then execute the file and subsequently delete it.

Can perforce be directed to prompt me for a password on the command line?
Or be made to look for it on stdin?  gpg, for example, has the
option:

     --passphrase-fd n       Read the passphrase from file descriptor n.

If you specify "--passphrase-fd 0" gpg will look for the passphrase on
stdin.

I'm looking for a way to do command line commands without having the
password show up in a command history, in the process table, or in a file.

Also, now my p4d init script can no longer stop p4d because of the same
issue.  I was simply calling p4 admin stop.  It seems my options are
now:

1.  Include an "export P4PASSWD=..." line in the init script before the
    call to p4 admin stop

2.  Write a script, say "p4-admin-stop" (below) and have the init script
    call it when it wants to stop the perforce server.

  #!/bin/bash

  # THIS FILE NEEDS *NOT* TO BE READABLE BY ANY USERS UNLESS THEY SHOULD
  # KNOW THE PERFORCE USER PASSWORD, WHICH IS BELOW!

  export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin

  server_user=perforce
  server_user_passwd=somepasswd

  [[ $( id -un ) !=  "$server_user" ]] && {
    echo 1>&2 "${0##*/}: must be user '$server_user' to run $0"
    exit 255
  }

  export P4PASSWD="$server_user_passwd"
  p4 admin stop

(The init script would su to perforce before it would run this.)

If p4 had some kind of --passwd-fd or similar option (maybe even a
--get-pw-from-file option?), I could at least prompt the user for the
password if the init script was run interactively.

How do other folks deal with this?  I really am squeamish about having the
password of a perforce user that has super writes in a command history file,
in a script, or in the process table.

Is my understanding of the way passwords work correct?

Thanks,
David
-- 
David Alban <dalban at stubhub.com>
Release Engineering Tools
http://StubHub.com/

_______________________________________________
perforce-user mailing list  -  perforce-user at perforce.com
http://maillist.perforce.com/mailman/listinfo/perforce-user




More information about the perforce-user mailing list