Password shown in plain text
ngschaider opened this issue · 5 comments
Currently the password is specified in plain text when invoking mcrcon.
Example:
./mcrcon -H localhost -P 25575 -p MY_PASSWORD
This obviously allows anyone to see the password on the screen while typing it in and also saves the password to ~/.bash_history.
A solution to this is to allow entering the password via a prompt when -p is not specified.
Pull Request #50 implements this kind of prompt (haven't tested it yet, but looks very promising)
This is a good idea. It has been on TODO list for a long time.
I have to do some testing and see what library dependencies it introduces (trying to keep it minimal).
Prompting definitely rules out the "server maintenance scripts" portion of the raison-d'etre.
Preferred methods for automation would be passing a filename (where the password is in the file) as a variable (e.g Docker Secrets method), or as an environment variable.
~/.bash_history is user file in a user directory, if you have other users looking at your .bash_history, you have additional issues, and I do not believe to be a concern of a user-space application. I believe you meant to say that adding a value on the command line exposes it via ps -aux (or ps -ef, your choice), which is a valid concern.
Can't you just use this?
./mcrcon -H localhost -P 25575 -p $(cat /path/to/pw/file)
For what it's worth, the password and port are both stored in plaintext in the server.properties file. So if a script has read access to that file, then in principle it can grab those values from that file rather than hard-coding them.
It might be a useful feature for mcrcon to take an arg pointing to a server.properties file and reading the port and password from there. This would require parsing the file, but that's not too complicated.
The server.properties file is pretty easy to parse with awk, so you could do something like:
./mcrcon -H localhost -p "$(awk -F '=' '$1 == "rcon.password" { print $2; exit }' /path/to/server.properties)"