Hi everybody,

Sorry if this isn't the correct list; I'm new to Ruby and couldn't find an
answer to this question in the other likely places.

I'm working on a tool that wraps the Arch Linux command line password manager
"pwsafe". It keeps your master password in memory for ten minutes so that you
don't have to re-type it so much. Recently I found a vulnerability and have to
re-write the function that invokes the main pwsafe program to get the
application password. It looks like this now:
      
def fetch_app_password
  master_password = driver.get # fetch the password from the user
  # TODO stop printing the user's master password in cleartext
  open( "| #{PWSAFE} -q -E -p #{stringified_args}", 'r+' ) do |pwsafe_pipe|
    pwsafe_pipe.write(master_password + "\n")
    app_password = pwsafe_pipe.readline()
    if app_password == "Passphrase is incorrect"
      system 'killall pwsafe'
      raise 'Passphrase is incorrect'
    end
    return app_password
  end
  raise 'an error occurred'
end

This code invokes pwsafe and correctly returns the application password the
user asked for; however, the entire exchange between the password safe and the
ruby program occurs in the user's terminal - in cleartext. This is unacceptable
because shoulder surfers are definitely part of my threat model.

I've tried a few things, including running `setty -echo` just before opening
the pipe; none of them have prevented that master_password variable from ending
up on the terminal. Can anyone suggest a good way to silence the master
password, or (even better) the entire conversation?

Thanks,
Dolan