Security – How to Trigger System Self Destruct with Password

passwordSecurity

How do I configure my system to destroy all personal data when a certain password is entered? The motivation behind this being NSA stuff.

I imagine there being three primary usage cases.

At login, the entering of a predetermined password triggers destruction of user data.
At system wake up. entering of a predetermined password triggers destruction of personal data.
Entering any privileged command with a predetermined password triggers destruction of personal data.

I know that something like

dd if=/dev/urandom of=/dev/$HOME

Should be adequate for data destruction. I don't know how to have that triggered by a certain password, however.

Bonus points if it then permits a login while the data is being deleted.

Best Answer

Idea #1 - Hidden OS

As an alternative method you could make use of TrueCrypt's "Hidden Operating System". This allows you to access a fake alternative OS when a certain password is used, rather than the primary OS.

excerpt

If your system partition or system drive is encrypted using TrueCrypt, you need to enter your pre-boot authentication password in the TrueCrypt Boot Loader screen after you turn on or restart your computer. It may happen that you are forced by somebody to decrypt the operating system or to reveal the pre-boot authentication password. There are many situations where you cannot refuse to do so (for example, due to extortion). TrueCrypt allows you to create a hidden operating system whose existence should be impossible to prove (provided that certain guidelines are followed — see below). Thus, you will not have to decrypt or reveal the password for the hidden operating system.

Bruce Schneier covers the efficacy of using these (Deniable File Systems, so you might want to investigate it further before diving in.

The whole idea of Deniable Encryption is a bit of a can of worms, so caution around using it in certain situations needs to be well thought out ahead of time.

Idea #2 - Add a script to /etc/passwd

You can insert alternative scripts to a user's entry in the /etc/passwd file.

Example

# /etc/passwd
tla:TcHypr3FOlhAg:237:20:Ted L. Abel:/u/tla:/usr/local/etc/sdshell

You could setup a user's account so that it runs a script such as /usr/local/etc/sdshell which will check to see what password was provided. If it's the magical password that triggers the wipe, it could begin this process (backgrounded even) and either drop to a shell or do something else.

If the password provided is not this magical password, then continue on running a normal shell, /bin/bash, for example.

Source: 19.6.1 Integrating One-Time Passwords with Unix

Related Solutions

Security – Securely Feed a Program with a Password

In regard to your update:

When a process is started it has a dedicated area of memory where arguments are stored and a int which tells how many arguments was passed.

MEMORY
argc    2
argv[0] program_name
argv[1] foo
argv[2] bar

MySQL check if password was passed on command line by -p, and if it was copy it to a new variable that is not visible, then overwrite that region of memory with x'es.

In simple terms e.g.:

argc 2
argv[1] -p
argv[2] p4ssw0rd

new_var = copy(argv[2]);
argv[2] = "xxxxx";

You can find it e.g. in client/mysqladmin.cc of the source code:

  case 'p':
      ...
      opt_password=my_strdup(argument,MYF(MY_FAE));
      while (*argument) 
          *argument++= 'x';     /* Destroy argument */

When ps run it reads the memory region of the arguments, (argv[N]), and thus it is xxxx.

For a very short while the password is visible, but only for a few CPU cycles.

You can update the MySQL password using the special --init-file option and procedure. C.5.4.1.2. Resetting the Root Password: Unix Systems

mysqld_safe --init-file=/home/me/mysql-init &

Edit:

As @Gilles say, you can echo, printf or use here document from a script.

You can also add this to .my.cnf of your home directory or in a (temporary) file and use the --defaults-extra-file option. (Believe you have to add that option early on the command line.) optionally also include user. Also note the extra in the option name unless you want to use only that file as configuration:

[client]
user=foo
password='password!'

shell> chmod 400 my_tmp.cnf
shell> mysql --defaults-extra-file=my_tmp.conf -...

Optionally the [client] grouping makes mysqld skip the configuration.

One can also use MYSQL_PWD environment variable, but that should never be used as you can list environment, in many ps implementations by ps -e, in the /proc/<PID>/environ file on Linux etc.

tr '\0' '\n' < /proc/<PID>/environ

Show entered new password in unix “passwd” command

If you really want to go this path and there's no passwd parameter, you can use this Expect script:

#!/usr/bin/env expect -f
set old_timeout $timeout
set timeout -1

stty -echo
send_user "Current password: "
expect_user -re "(.*)\n"
set old_password $expect_out(1,string)

stty echo
send_user "\nNew password: "
expect_user -re "(.*)\n"
set new_password $expect_out(1,string)

set timeout $old_timeout
spawn passwd
expect "password:"
send "$old_password\r"
expect "password:"
send "$new_password\r"
expect "password:"
send "$new_password\r"
expect eof

How it works:

[dave@hal9000 ~]$ ./passwd.tcl
Current password: 
New password: bowman
spawn passwd
Changing password for user dave.
Changing password for dave.
(current) UNIX password: 
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

This shell script might also work (tested on Fedora 20 with bash-4.2.47-2 and passwd-0.79-2):

#!/bin/sh
stty -echo
echo -n "Current password: "
read old_password

stty echo
echo
echo -n "New password: "
read new_password

passwd << EOF
$old_password
$new_password
$new_password
EOF