[Django] #21392: changepassword option to read from stdin
Django
------------------------------+--------------------
Reporter: pkasid | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------
It would be really handy to give the user the ability to change user
password by supplying it using the stdin.
'''Advantages'''
* GUIs can build on top of this feature. Right now an IDE for
Python/Django, for example, cannot give the user the ability to add users
to his/hers Django project with a GUI, without ''hacking'' into the Django
core itself.
* Automation tools can build on top of this feature
I suppose that the reason this feature is not implemented yet is that it
is considered a security risk. The fact is that this practice cad be found
in several software of the UNIX/Linux core.
* Some versions of '''passwd''' can read new password from stdin
([http://linux.die.net/man/1/passwd])
* '''chpasswd''' gets its input from stdin
* '''useradd''' can even get the encrypted passwords from the command line
(this could be considered even more risky since you can see the given
password in the process history)
I think since this practice already exists in most (if not in all)
UNIX/Linux systems, it's not a security breach to be added to Django as
well.
I will start working on this patch myself.
--
Ticket URL: <https://code.djangoproject.com/ticket/21392>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: pkasid | Owner: pkasid
Type: New feature | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by pkasid):
* owner: nobody => pkasid
* needs_better_patch: => 0
* status: new => assigned
* needs_tests: => 0
* needs_docs: => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/21392#comment:1>
Django
Reporter: pkasid | Owner: pkasid
Component: contrib.auth | Version: master
Severity: Normal | Resolution: duplicate
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by claudep):
* status: assigned => closed
* resolution: => duplicate
Comment:
This was already wontfixed in #18897. I suggest you start a thread on the
django-developers mailing list to make your case. Reopen then if you get
core dev support.
--
Ticket URL: <https://code.djangoproject.com/ticket/21392#comment:2>
Django
Reporter: pkasid | Owner: pkasid
Type: New feature | Status: closed
Severity: Normal | Resolution: duplicate
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by pkasid):
Sorry but this is not a duplicate. I am proposing reading the password
from the standard input. Not as a second parameter. The security risks
listed at #18897 are not valid for my ticket.
[[BR]]
> If something can be put on the command line, someone is going to try and
use the argument in a script.
No password is put in the command line
[[BR]]
> If you type the password at the command line, it will be preserved in
command history, which means anyone who can get access to your login can
find out your password, too.
No password is typed in the command line
Could you please reconsider opening my ticket?
--
Ticket URL: <https://code.djangoproject.com/ticket/21392#comment:3>
Django
Reporter: pkasid | Owner: pkasid
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by aaugustin):
* status: closed => new
* resolution: duplicate =>
Comment:
I don't know if it's a good idea but indeed it wasn't discussed in the
other ticket.
--
Ticket URL: <https://code.djangoproject.com/ticket/21392#comment:4>
Django
Reporter: pkasid | Owner: pkasid
Type: New feature | Status: new
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by aaugustin):
* stage: Unreviewed => Accepted
Comment:
I'm going to move this to Accepted, which may trigger the wrath of the
security overlords...
--
Ticket URL: <https://code.djangoproject.com/ticket/21392#comment:5>
Django
Reporter: pkasid | Owner: pkasid
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by AeroNotix):
I don't believe this is a security concern at all. The option is to enable
reading *from* stdin, not a --this-is-my-new-password-bro switch. Seems
reasonable.
--
Ticket URL: <https://code.djangoproject.com/ticket/21392#comment:6>
Django
Reporter: pkasid | Owner: AeroNotix
Type: New feature | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by AeroNotix):
* status: new => assigned
* owner: pkasid => AeroNotix
--
Ticket URL: <https://code.djangoproject.com/ticket/21392#comment:7>
Django
Reporter: pkasid | Owner: AeroNotix
Type: New feature | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
Has patch: 1 | checkin
Needs tests: 0 | Needs documentation: 0
Easy pickings: 0 | Patch needs improvement: 0
| UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by AeroNotix):
* has_patch: 0 => 1
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/21392#comment:8>
Django
Reporter: pkasid | Owner: AeroNotix
Type: New feature | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by bmispelon):
* stage: Ready for checkin => Accepted
Comment:
The "ready for checkin" flag is for when someone else has reviewed your
patch and deemed it ready.
--
Ticket URL: <https://code.djangoproject.com/ticket/21392#comment:9>
Django
Reporter: pkasid | Owner: AeroNotix
Type: New feature | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timo):
* has_patch: 1 => 0
Comment:
The ticket has "Has patch" set, but I don't see a patch or a link to a
pull request?
--
Ticket URL: <https://code.djangoproject.com/ticket/21392#comment:10>
Django
Reporter: pkasid | Owner: AeroNotix
Type: New feature | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by mokys):
What does it mean "read password from stdin" if it is not already possible
(the command asks you for a password at least from django 1.2) and if it
doesn't mean to put it into a command line (--password my-new-pass)?
--
Ticket URL: <https://code.djangoproject.com/ticket/21392#comment:11>
Django
Reporter: Paris Kasidiaris | Owner: AeroNotix
Type: New feature | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by James Pic):
Implemented in reusable third party CLI : https://yourlabs.io/oss/djcli
--
Ticket URL: <https://code.djangoproject.com/ticket/21392#comment:12>
Django
Reporter: Paris Kasidiaris | Owner: (none)
Type: New feature | Status: new
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by countermeasure):
* owner: AeroNotix => (none)
* status: assigned => new
--
Ticket URL: <https://code.djangoproject.com/ticket/21392#comment:13>
Django
Reporter: Paris Kasidiaris | Owner: (none)
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Changes (by Ülgen Sarıkavak):
* cc: Ülgen Sarıkavak (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/21392#comment:14>