Tracker: Feature Requests

5 Ability to enter password from within schemaSpy - ID: 3021923
Last Update: Comment added ( sf-robot )

The requirement to include a password as a command-line switch is a huge security risk.

Especially as SchemaSpy can take several minutes to run on a large database, this requirement allows any user on the system to execute a simple ps and immediately be provided with all of the login details to the database - including a password. As many users may be running with elevated privileges, in order to ensure they have the entire schema, this is a very serious potential exposure.

SchemaSpy should allow for the user to submit a command line and then subsequently prompt the user for the password. This same behavior can be seen in most every database administration tool.

st0w ( st0w ) - 2010-06-26 23:54:50 PDT

5

Closed

None

John Currier

None

None

Public


Comments ( 4 )

Date: 2010-09-29 12:25:09 PDT
Sender: sf-robotSourceForge.net Site Admin

This Tracker item was closed automatically by the system. It was
previously set to a Pending status, and the original submitter
did not respond within 14 days (the time period specified by
the administrator of this Tracker).

Date: 2010-08-17 14:12:15 PDT
Sender: johncurrierProject AdminAccepting Donations

Implemented in Release 5.0.0.

Date: 2010-07-20 15:03:25 PDT
Sender: johncurrierProject AdminAccepting Donations

A new -pfp (prompt for password) flag has been added in revision 579 (beta
available at http://schemaspy.sourceforge.net/schemaSpy.jar). If running
in a Java6 or later JVM it will take advantage of the Console classes for
getting the password. If the Console classes aren't available a home-grown
implementation is used.

Let me know if you run into any issues with it.

John

Date: 2010-06-28 15:10:51 PDT
Sender: johncurrierProject AdminAccepting Donations

There's currently a -connprops option that can be used to point to a file
of key=value pairs containing a password=mypassword entry. That file would
obviously need to be protected. Note that the file you point to can be
something like /dev/con (the console) that would be terminated by a Ctrl+D
or F6 (depending on your OS). This approach, however, will show the
password as you type it.

Another approach (as suggested) would be to add a -pfp (prompt for
password) switch. Java doesn't natively support masking of passwords typed
from the command line, so some additional work would be required to make
that happen.

Attached File

No Files Currently Attached

Changes ( 5 )

Field Old Value Date By
status_id Pending 2010-09-29 12:25:09 PDT sf-robot
close_date 2010-08-17 14:12 2010-09-29 12:25:09 PDT sf-robot
status_id Open 2010-08-17 14:12:15 PDT johncurrier
close_date - 2010-08-17 14:12:15 PDT johncurrier
assigned_to nobody 2010-06-28 15:10:51 PDT johncurrier