(format "echo %s | \
keepassxc-cli %s %s %s 2>&1 | \
egrep -v '[Insert|Enter] password to unlock %s'"
(shell-quote-argument keepass-mode-password)It's pretty easy to read command line arguments on Linux so this method of passing the password leaks the keyring password to anything running on the host in question.
As a test I did this:
(shell-command-to-string "echo foo | ps aux")
user 356548 0.0 0.0 6968 3184 ? Ss 10:41 0:00 /bin/bash -c echo foo | ps aux
user 356550 0.0 0.0 10084 3288 ? R 10:41 0:00 ps aux
I don't know how to solve this in emacs lisp but ideally the password should be pushed to keepassxc-cli's standard in directly from emacs over a pipe.
(Environment variables also show up in /proc and so aren't the best method of IPC either.)
It's pretty easy to read command line arguments on Linux so this method of passing the password leaks the keyring password to anything running on the host in question.
As a test I did this:
(shell-command-to-string "echo foo | ps aux")user 356548 0.0 0.0 6968 3184 ? Ss 10:41 0:00 /bin/bash -c echo foo | ps aux
user 356550 0.0 0.0 10084 3288 ? R 10:41 0:00 ps aux
I don't know how to solve this in emacs lisp but ideally the password should be pushed to keepassxc-cli's standard in directly from emacs over a pipe.
(Environment variables also show up in /proc and so aren't the best method of IPC either.)