Inno Setup - request to prevent logging setup command line
433 views
Skip to first unread message
Anurag Tyagi
May 3, 2023, 3:12:34 AM5/3/23
to innosetup
Hey,
Current innosetup code logs the setup command line (ref https://github.com/jrsoftware/issrc/blob/is-5_5_5/Projects/Main.pas#L2961) which can be a security risk if service account credentials are passed in as arguments via the command line. This results in logging the password in plain text.
Can we remove this log or have a way to disable this ( maybe adding a flag could help )?
Thanks,
Anurag Tyagi
Eivind Bakkestuen
May 3, 2023, 4:39:38 AM5/3/23
to inno...@googlegroups.com
Perhaps consider obfuscating such credentials, or pass them in a file that the installer can read before wiping?
--
You received this message because you are subscribed to the Google Groups "innosetup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to innosetup+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/innosetup/13305cb1-27c9-4d01-a27c-83afd297cc48n%40googlegroups.com.
Gavin Lambert
May 3, 2023, 7:52:34 PM5/3/23
to inno...@googlegroups.com
There's some sample code at:
https://web.archive.org/web/20130905220834/http://www.vincenzo.net/isxkb/index.php?title=Remembering_Custom_Page_Settings
Wilenty org
May 13, 2023, 12:58:57 PM5/13/23
to innosetup
Hello Anurag Tyagi,
please ask the Inno-Setup owners to add an option to disable this "shitty" log-file, because many people "don't like it", in the:
"Inno Setup log entries - prevent logging dll function import": https://groups.google.com/g/innosetup/c/cTphMKv4cLA/m/6CJPYk-iBQAJ
Ask those persons:
Martijn Laan (current developer)
and/or:
Jordan Russell (project {InnoSetup} owner)
please ask the Inno-Setup owners to add an option to disable this "shitty" log-file, because many people "don't like it", in the:
"Inno Setup log entries - prevent logging dll function import": https://groups.google.com/g/innosetup/c/cTphMKv4cLA/m/6CJPYk-iBQAJ
Ask those persons:
Martijn Laan (current developer)
and/or:
Jordan Russell (project {InnoSetup} owner)
Greetings,
Wilenty
Eivind Bakkestuen
May 14, 2023, 5:07:58 AM5/14/23
to inno...@googlegroups.com
A plausible reason for the request might, just might, help getting it considered...
--
You received this message because you are subscribed to the Google Groups "innosetup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to innosetup+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/innosetup/4a612e08-dc3d-4e44-9516-f486aafedcfdn%40googlegroups.com.
Message has been deleted
Gavin Lambert
May 14, 2023, 7:24:29 PM5/14/23
to inno...@googlegroups.com
On 15/05/2023 06:20, Wilenty org wrote:
> Many time you are talking completely "bullshit", so your help here is
> this same as ask the wall to hit you...
>
> For example ("Nobody here knows what command line options exist in the
> original installer (if the options you need even exist). Get back to the
> creator and explain this to them."):
> https://groups.google.com/g/innosetup/c/I2kVXbzYAL0/m/8W9npOfyAAAJ
>
> so, look at my GitHub:
> https://github.com/Wilenty/-code-of-LightHouseStudio-9.15.0.1-by-Sawtooth-Software
>
> So, please think twice before you will try to "help" with your "stupid
> ideas" on this Inno-Fotum
Neither being rude to other people here nor reverse-engineering and
reposting code of commercial software are activities that are
appreciated here. Please think twice before doing either of these
things yourself.
There is a significant difference between things that *can* be done and
things that *should* be done, in both regards (as well as the original
topic). Their post was correct. Yours is not.
> Many time you are talking completely "bullshit", so your help here is
> this same as ask the wall to hit you...
>
> For example ("Nobody here knows what command line options exist in the
> original installer (if the options you need even exist). Get back to the
> creator and explain this to them."):
> https://groups.google.com/g/innosetup/c/I2kVXbzYAL0/m/8W9npOfyAAAJ
>
> so, look at my GitHub:
> https://github.com/Wilenty/-code-of-LightHouseStudio-9.15.0.1-by-Sawtooth-Software
>
> So, please think twice before you will try to "help" with your "stupid
> ideas" on this Inno-Fotum
Neither being rude to other people here nor reverse-engineering and
reposting code of commercial software are activities that are
appreciated here. Please think twice before doing either of these
things yourself.
There is a significant difference between things that *can* be done and
things that *should* be done, in both regards (as well as the original
topic). Their post was correct. Yours is not.
Wilenty org
May 18, 2023, 6:06:23 PM5/18/23
to innosetup
Gavin Lambert wrote:
'Neither being rude to other people here nor reverse-engineering and
reposting code of commercial software are activities that are
appreciated here. Please think twice before doing either of these
things yourself.
There is a significant difference between things that *can* be done and
things that *should* be done, in both regards (as well as the original
topic). Their post was correct. Yours is not. '
Did I asked about "Eivind Bakkestuen" opinion in my previous message?:
'
Hello Anurag Tyagi,
please ask the Inno-Setup owners to add an option to disable this "shitty" log-file, because many people "don't like it", in the:
"Inno Setup log entries - prevent logging dll function import": https://groups.google.com/g/innosetup/c/cTphMKv4cLA/m/6CJPYk-iBQAJ
Ask those persons:
Martijn Laan (current developer)
and/or:
Jordan Russell (project {InnoSetup} owner)
Greetings,
Wilenty
"
So, please tell me for what I have to read (and yours) this nonsense message(s)?
BTW, thanks to you "Gavin Lambert" that my message "survived" :D
But, if you want to know my opinion... If you add an option to enable the log/logging from command-line, you have to also add an option to disable it via script/[code] that's all!
Greetings
Wilenty
'Neither being rude to other people here nor reverse-engineering and
reposting code of commercial software are activities that are
appreciated here. Please think twice before doing either of these
things yourself.
There is a significant difference between things that *can* be done and
things that *should* be done, in both regards (as well as the original
Did I asked about "Eivind Bakkestuen" opinion in my previous message?:
'
Hello Anurag Tyagi,
please ask the Inno-Setup owners to add an option to disable this "shitty" log-file, because many people "don't like it", in the:
"Inno Setup log entries - prevent logging dll function import": https://groups.google.com/g/innosetup/c/cTphMKv4cLA/m/6CJPYk-iBQAJ
Ask those persons:
Martijn Laan (current developer)
and/or:
Jordan Russell (project {InnoSetup} owner)
Greetings,
Wilenty
"
But, "Eivind Bakkestuen" wrote:
"A plausible reason for the request might, just might, help getting it considered..."
I just "showed the way" for the "topics owner", but not for the "smarter Eivind Bakkestuen"..."A plausible reason for the request might, just might, help getting it considered..."
So, please tell me for what I have to read (and yours) this nonsense message(s)?
BTW, thanks to you "Gavin Lambert" that my message "survived" :D
But, if you want to know my opinion... If you add an option to enable the log/logging from command-line, you have to also add an option to disable it via script/[code] that's all!
Greetings
Wilenty
Gavin Lambert
May 18, 2023, 7:00:17 PM5/18/23
to inno...@googlegroups.com
On 19/05/2023 10:06, Wilenty org wrote:
> please ask the Inno-Setup owners to add an option to disable this
> "shitty" log-file, because many people "don't like it", in the:
> "Inno Setup log entries - prevent logging dll function import":
> https://groups.google.com/g/innosetup/c/cTphMKv4cLA/m/6CJPYk-iBQAJ
Using such phrasing is unlikely to endear you to the developers, either.
> please ask the Inno-Setup owners to add an option to disable this
> "shitty" log-file, because many people "don't like it", in the:
> "Inno Setup log entries - prevent logging dll function import":
> https://groups.google.com/g/innosetup/c/cTphMKv4cLA/m/6CJPYk-iBQAJ
The purpose of the log file is to log things that are done, so that
problems can be diagnosed. The command line is highly relevant to what
the installer does and it is reasonable that it is logged. As is
logging of registry writes that you seemed particularly incensed by in
an earlier post.
Before you posted to this thread, the original poster's question of "how
to avoid logging secrets in the command line" was already answered, i.e.
to pass them a different way, which will avoid them being logged. As
such, you are not contributing anything particularly useful to that
discussion.
There are many other places that command lines are visible (including in
Task Manager) and so it's never a good idea to pass secrets on the
command line even if Inno weren't logging it.
As has been pointed out to you before, sometimes the correct answer to
"how do I do X?" is not "this is how you do X" but rather "you should
not do X, do Y instead."
> BTW, thanks to you "Gavin Lambert" that my message "survived" :D
Anurag Tyagi
May 30, 2023, 5:41:54 AM5/30/23
to innosetup
Since opting for a different way of passing credentials would be a behavior change for deployments and Customers might not want it, is there a possibility of having this log ( which prints the command line ) behind a flag so it can be controlled as per the wish of developer? Anything being logged is seen as a security concern and it should always be controllable in my opinion.
Thanks,
Anurag Tyagi
Gavin Lambert
May 30, 2023, 7:22:01 PM5/30/23
to inno...@googlegroups.com
On 30/05/2023 21:41, 'Anurag Tyagi' wrote:
> Since opting for a different way of passing credentials would be a
> behavior change for deployments and Customers might not want it, is
> there a possibility of having this log ( which prints the command line )
> behind a flag so it can be controlled as per the wish of developer?
> Anything being logged is seen as a security concern and it should always
> be controllable in my opinion.
The entire log file is not written by default; it has to be enabled
> Since opting for a different way of passing credentials would be a
> behavior change for deployments and Customers might not want it, is
> there a possibility of having this log ( which prints the command line )
> behind a flag so it can be controlled as per the wish of developer?
> Anything being logged is seen as a security concern and it should always
> be controllable in my opinion.
either by [Setup] directive or by command line parameter.
Regardless, it's trivial to see the command line of any running process
so it has always been a very bad idea to pass secrets on the command
line, no matter whether Inno itself logs it or not.
Mahesh K
Jun 4, 2023, 5:39:04 AM6/4/23
to innosetup
I'll rephrase the ask on this thread, we ship innosetup as part of our product to 1000's of customer and customer's have already built their automation under the assumption that passwords are passed as part of command line arguments. While we're aware of the alternatives that exists, we want to check with the forum here if we can have an option to disable logging command line parameters.
We're aware of all the workaround, but asking the behavior change to all customers would have resistance and they would prefer continuing on the same path. We're aware of all the other flaws with it as well, but keeping track of the passwords being logged is hard and prefer to have an option to disable the logging of command line parameters.
We're aware of all the workaround, but asking the behavior change to all customers would have resistance and they would prefer continuing on the same path. We're aware of all the other flaws with it as well, but keeping track of the passwords being logged is hard and prefer to have an option to disable the logging of command line parameters.
With all these considering, please can the forum let us know if we can accommodate the option in innosetup itself?
Gavin Lambert
Jun 5, 2023, 6:57:26 PM6/5/23
to inno...@googlegroups.com
On 4/06/2023 21:39, 'Mahesh K' wrote:
> I'll rephrase the ask on this thread, we ship innosetup as part of our
> product to 1000's of customer and customer's have already built their
> automation under the assumption that passwords are passed as part of
> command line arguments. While we're aware of the alternatives that
> exists, we want to check with the forum here if we can have an option to
> disable logging command line parameters.
> We're aware of all the workaround, but asking the behavior change to all
> customers would have resistance and they would prefer continuing on the
> same path. We're aware of all the other flaws with it as well, but
> keeping track of the passwords being logged is hard and prefer to have
> an option to disable the logging of command line parameters.
> With all these considering, please can the forum let us know if we can
> accommodate the option in innosetup itself?
"We have already shot 1000 customers in the foot. We would like to
> I'll rephrase the ask on this thread, we ship innosetup as part of our
> product to 1000's of customer and customer's have already built their
> automation under the assumption that passwords are passed as part of
> command line arguments. While we're aware of the alternatives that
> exists, we want to check with the forum here if we can have an option to
> disable logging command line parameters.
> We're aware of all the workaround, but asking the behavior change to all
> customers would have resistance and they would prefer continuing on the
> same path. We're aware of all the other flaws with it as well, but
> keeping track of the passwords being logged is hard and prefer to have
> an option to disable the logging of command line parameters.
> With all these considering, please can the forum let us know if we can
> accommodate the option in innosetup itself?
continue doing that. What colour should we repaint the gun so that
they're less likely to notice?"
Gavin Lambert
Jun 5, 2023, 10:23:37 PM6/5/23
to inno...@googlegroups.com
Mere moments ago, quoth I:
have been doing things is a security problem, the correct response is
not to bury your head in the sand; the correct response is to fix it.
Yes, this may require existing customers to change things, but you put
that in the release/upgrade notes: that you improved things for security
reasons.
If anyone asks for details, you tell them, so that they can make an
informed decision about whether they want to change their credentials or
not. (FWIW this sort of thing is unlikely to lead to leaks that would
require changing credentials, but that's their choice, not yours. Only
they know what they've done with their files and how important their
credential security is to them.)
Making an honest mistake and fixing it once alerted to the fact is
understandable. Continuing to perpetuate the mistake after such advice
is not.
> "We have already shot 1000 customers in the foot. We would like to
> continue doing that. What colour should we repaint the gun so that
> they're less likely to notice?"
To rephrase that less flippantly: when you are told that the way you
> continue doing that. What colour should we repaint the gun so that
> they're less likely to notice?"
have been doing things is a security problem, the correct response is
not to bury your head in the sand; the correct response is to fix it.
Yes, this may require existing customers to change things, but you put
that in the release/upgrade notes: that you improved things for security
reasons.
If anyone asks for details, you tell them, so that they can make an
informed decision about whether they want to change their credentials or
not. (FWIW this sort of thing is unlikely to lead to leaks that would
require changing credentials, but that's their choice, not yours. Only
they know what they've done with their files and how important their
credential security is to them.)
Making an honest mistake and fixing it once alerted to the fact is
understandable. Continuing to perpetuate the mistake after such advice
is not.
Nenad Filipovic
Sep 25, 2023, 4:18:11 AM9/25/23
to innosetup
I would like to second the OP request to avoid a painful security issue. I am aware of the responses file alternative, but also believe that to be an inconvenient limitation.
Supplying of sensitive credentials via the process command line is an industry standard, therefore a logical conclusion:
- Command line should not be logged by default.
- Command line logging can be enabled for debugging by setting some diagnostic parameter, or passing another command line parameter to the installer process.
I honestly think Inno Setup needs improvement on this point. The whole industry is shifting towards tighter security, it's due time for Inno Setup to follow suit.
Wilenty do ut des
Dec 18, 2023, 12:34:08 AM12/18/23
to innosetup
Hello guys (and girls),
because many of you asked for the option to disable the "/log" command-line option from the script, I had created custom InnoSetup that allows you to do that.
After the testing stage is done, in release version set the:
[Setup]
(...)
SetupLogging=disable
Get it here: https://github.com/Wilenty/Plug-ins-for-InnoSetup/blob/main/InnoSetup-6.2.3-LZMA2301-DisableLog.7z
Greetings,
Wilenty
P.S.
Please tread it as a gift for the Christmas time from me. :)
because many of you asked for the option to disable the "/log" command-line option from the script, I had created custom InnoSetup that allows you to do that.
After the testing stage is done, in release version set the:
[Setup]
(...)
SetupLogging=disable
Get it here: https://github.com/Wilenty/Plug-ins-for-InnoSetup/blob/main/InnoSetup-6.2.3-LZMA2301-DisableLog.7z
Greetings,
Wilenty
P.S.
Please tread it as a gift for the Christmas time from me. :)
Jernej Simončič
Dec 18, 2023, 4:56:14 AM12/18/23
to Wilenty do ut des on [innosetup]
On Monday, December 18, 2023, 00:31:40, Wilenty do ut des wrote:
because many of you asked for the option to disable the "/log" command-line option from the script, I had created custom InnoSetup that allows you to do that.
You do realize that this is pointless? I can get everything (and more) that Inno Setup logs by using Process Monitor, it's just more annoying to parse.
--
< Jernej Simončič ><><><><>< https://eternallybored.org/ >
-- Decaprio's Rule
< Jernej Simončič ><><><><>< https://eternallybored.org/ >
-- Decaprio's Rule
Bill Stewart
Jan 18, 2024, 8:06:12 PM1/18/24
to innosetup
On Wednesday, May 3, 2023 at 1:12:34 AM UTC-6 Anurag Tyagi wrote:
Current innosetup code logs the setup command line (ref https://github.com/jrsoftware/issrc/blob/is-5_5_5/Projects/Main.pas#L2961) which can be a security risk if service account credentials are passed in as arguments via the command line. This results in logging the password in plain text.
The fix for this is simple: Do not pass service account credentials using the command line.
Bill
Reply all
Reply to author
Forward
0 new messages