True for prompts, but not for running commands via cap. It just runs
it as a raw string, so whatever is provided is echoed to the logger:
run "mysql -p #{password}"
Even if "password" is obtained via a CLI prompt, a mysql command ran
in this fashion will echo out the password. You can either:
1. Change the command for mysql to prompt, in the fashion sudo does,
and write a custom handler for it (see invocation.rb)
2. Override the run command to skip logging on commands you don't want
logged
3. Set the logger's log level higher than debug, which is the level
execution are logged at.
4. ... I'm sure the list goes on.
On Apr 1, 2008, at 11:09 AM, Ken Collins wrote:
>
> Butting in here... but I thought if you installed the termios gem
> then it would not echo/log your password? Does that help solve your
> issue?
>
> - Ken
>
>
> On Apr 1, 2008, at 12:38 PM, Andrew McClain wrote:
>
>>
>> Sean,
>>
>> I'm already prompting the user for a password using password_prompt.
>>
>> The issue isn't showing the password when the user _enters_ it, the
>> issue is that the password shows up in the capistrano log when the
>> command is executed.
>>
>> i.e.
>>>> pass = Capistrano::CLI.password_prompt('secret password:')
>>>> run "mysql -p #{pass}"
>>
>> secret password:
>> {USER ENTERS FOO}
>>
>> * executing "mysql -p FOO" <--- there it is in plaintext!
>>
>> I'm wondering how capistrano manages to get around this for sudo
>> passwords, which look like:
>> * executing "sudo -p 'sudo password: ' some_command" <---
>> obfuscated
>>
>>
>> On Apr 1, 6:18 am, Sean Cribbs <[EMAIL PROTECTED]> wrote:
>>> Andrew,
>>>
>>> The -p option on sudo provides the prompt for the password, not the
>>> actual password. This helps Capistrano tell when sudo is
>>> prompting for
>>> a password. If you don't want the password to be echoed to the
>>> screen,
>>> require the cap user to type in the password on starting your
>>> recipe or
>>> when necessary to execute any given command.
>>>
>>> Sean Cribbs
>>>
>>> Andrew McClain wrote:
>>>> There are a couple of times in my deploy scripts where I need to
>>>> ask
>>>> for passwords; However, in the cap log output, I see those
>>>> passwords
>>>> in plain text.
>>>
>>>> I've been poking around the code to see how Cap displays " *
>>>> executing
>>>> "sudo -p 'sudo password: '...", and all I can find is the
>>>> sudo_prompt
>>>> method which looks like it displays the obfuscated 'sudo
>>>> password: '
>>>> when it can't find the :sudo_prompt symbol...
>>>
>>>> Can anyone explain how this mechanism works? Or, an alternate
>>>> method
>>>> from preventing my password from showing up in my terminal history?
>> >>
>
--~--~---------~--~----~------------~-------~--~----~
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/capistrano
-~----------~----~----~----~------~----~------~--~---
