#38 7z wrapper in /usr/bin jeopardizing the effort to hide password from commandline parameters

[Michal Ambroz]

Hello,
this has been already reported to Fedora package:
https://bugzilla.redhat.com/show_bug.cgi?id=2316073

the 7z (/usr/libexec/p7zip/7z) is trying to clear the password from the process command attributes as soon as it is not needed anymore.
Unfortunately in Fedora we have a wrapper /usr/bin/7z which is doing nothing else than executing /usr/libexec/p7zip/7z , which will still reveal the password.

Running for example:
7z a test.7z test.dd -mx=9 -ppassword123

Will result in this process listing:
rebus 2713410 0.0 0.0 228500 3612 pts/24 S+ 10:45 0:00 /usr/bin/sh /usr/bin/7z a test.7z test.dd -mx=9 -ppassword123
rebus 2713411 121 0.4 1079920 154904 pts/24 R+ 10:45 0:08 /usr/libexec/p7zip/7z a test.7z test.dd -mx=9 -p*****

Possible solutions:
1) using the wrapper with a "exec statement to replace the current process"
2) use just a link file
3) compile the 7z in such a way that it can be placed directly to /usr/bin/7z and search the 7z.so in some expectable library location

As using the link file would break 7z, and changing the 7z location needs much more work on the code, I guess using the exec is the right way to go.

The usr/bin/7z should read like this:

!/usr/bin/sh

exec "/usr/libexec/p7zip/7z" "$@"

Reproducible: Always

Steps to Reproduce:
1. run in one terminal this loop
while true ; do ps aux|grep -e '[7]z' ; done | less

1. prepare some reasonably big file
   dd if=/dev/zero of=test.dd bs=1M count=100

2. try to zip the file with password
   7z a test.7z test.dd -mx=9 -ppassword123

Actual Results:
rebus 2713410 0.0 0.0 228500 3612 pts/24 S+ 10:45 0:00 /usr/bin/sh /usr/bin/7z a test.7z test.dd -mx=9 -ppassword123
rebus 2713411 121 0.4 1079920 154904 pts/24 R+ 10:45 0:08 /usr/libexec/p7zip/7z a test.7z test.dd -mx=9 -p*****

Expected Results:
rebus 2713411 121 0.4 1079920 154904 pts/24 R+ 10:45 0:08 /usr/libexec/p7zip/7z a test.7z test.dd -mx=9 -p*****

-------------------- cut here -------------
For completenes
Using link file results in this error:
sudo rm /usr/bin/7z
sudo ln -s /usr/libexec/p7zip/7z /usr/bin/7z
$ 7z a test.7z test.dd -mx=9 -ppassword123

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,8 CPUs Intel(R) Core(TM) i5-8365U CPU @ 1.60GHz (806EC),ASM,AES-NI)

Can't load './7z.dll' (./7z.so: cannot open shared object file: No such file or directory)

ERROR:
7-Zip cannot find the code that works with archives.