2

I'm using xdotool to securely type out a password (as opposed to using the clipboard) from a password manager (pass) and I'm wondering if xdotool has a log somewhere, which would obviously make it insecure.

So it there a log, or any other potential insecurity that anyone else can see?

For reference, this is what I'm using:

#!/usr/bin/env python3
import subprocess
import sys
from time import sleep

if len(sys.argv) == 2:
    delay = int(sys.argv[1])
else:
    delay = 3

data = sys.stdin.readline().rstrip('\n')
sleep(delay)
subprocess.call(['xdotool', 'type', '--clearmodifiers', data])
Improve this question
15
  • Do you really have to provide the password as keyboard input at the X level? There's usually a better way, like getting the program to interface with the password manager directly or to read from a terminal. Commented Oct 21, 2015 at 13:49
  • That sounds great, but I have no idea about how I would do it at a lower level. How can you get a web browser to read from the output of a process? Commented Oct 21, 2015 at 15:24
  • Web browsers typically do have interfaces to password managers. For example Firefox and Chrome can interface with Gnome-keyring. It might take some effort if the password needs to be typed in a field that isn't marked as password. Commented Oct 21, 2015 at 15:34
  • The xdotool command line (including password) will briefly be visible to other processes on the system. Unfortunately I don't know how to work around that. Commented Oct 22, 2015 at 8:48
  • @Gilles One use case: Host a has just been booted and is now displaying a login screen. Home directories are encrypted using ecryptfs. Host b somehow knows the password and wants to type it in on the login screen on host a. Host b can ssh to host a and run xdotool (using key based authentication because sshd has password authentication turned off). Could that use case be solved without using xdotool? Commented Oct 22, 2015 at 8:52

2 Answers 2

Reset to default
3

So there is no xdotool log as far as I am aware, but as kasperd pointed out, running xdotool with the password as an argument is clearly insecure. But we may pass in the password through a pipe to avoid it showing up in the output of ps aux.

echo -n "$pass" | xdotool type --clearmodifiers --file -

By default (in bash), the builtin version of echo is used, which does not execute as it's own process, so doesn't show up in ps. You can run builtin echo if you're not sure which version will be used.

Improve this answer
2
  • On Ubuntu 14.04 there is no mention of --file in the man page. But it turns out to be working anyways. Commented Mar 24, 2016 at 17:07
  • 1
    @kasperd I know - that's why it took me so long to discover this possibility. I may submit a patch to xdotool to add this information to the man page Commented Mar 24, 2016 at 17:48
0

Instead of calling xdotool using Python's subprocess.call() you should directly interface with the library underlying xdotool: libxdo.

The bindings for Python are available in python-libxdo and allows you to "type" the password from within Python without ever showing up in ps aux, as there is no separate process invoked.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.