[SERVER-11230] sslPEMKeyPassword is exposed through task manager on Windows Created: 17/Oct/13 Updated: 10/Dec/14 Resolved: 18/Oct/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Luke Lovett | Assignee: | Andreas Nilsson |
| Resolution: | Done | Votes: | 0 |
| Labels: | 26qa | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Running on Windows 2008 Server R2, |
||
| Attachments: |
|
||||
| Issue Links: |
|
||||
| Operating System: | Windows | ||||
| Steps To Reproduce: | 1. Launch a mongod with a sslPEMKeyFile that requires a password. Provide the password through sslPEMKeyPassword.
2. Open the Task Manager. Show the command line by going to View --> Select Columns... and making sure "Command Line" is checked. |
||||
| Participants: | |||||
| Description |
|
The argument to sslPEMKeyPassword can be revealed through the task manager on Windows. See the screenshot. |
| Comments |
| Comment by Andy Schwerin [ 18/Oct/13 ] |
|
This is just the nature of the Windows process manager. |
| Comment by Daniel Pasette (Inactive) [ 17/Oct/13 ] |
|
i'm not sure we can avoid this currently if user does not use prompt |