Correct Syntax For --Pass-Io To Pass Params?

I’m having trouble getting the syntax right passing params from dom0 to a qube.

If this is the terminal command in the qube, how would it translate using qvm-run to execute from dom0 passing the params:

Params:

vault_path
slot
pim
pwd

Qube command:
veracrypt --mount $vault_path -p "$pwd" --slot $slot --pim="$pim"

How to run ^^^ from dom0?

qvm-run $qube_name --pass-io veracrypt --mount $vault_path -p "$pwd" --slot $slot --pim="$pim"

… all the versions I can think of so far haven’t worked getting the params to pass correctly.

The problem is the “–” required by the veracrypt command is causing qvm-run to through the error “unrecognized arguments”.

Is the target VM shell linux bash, windows cmd, or something else?

dom0 bash script calling a Linux qube veracrypt mount.

The problem I think isn’t the --pass-io, it’s the double quotes around the command, that mess with the “” required around -p and --pim options.
I think I need to escape them. Still pretty new to bash.

Assuming target is bash, I have:

  1. Determined it is safer to provide single quotes around strings given to the target VM.
  2. Quoted $vault_path and $slot, just to be sure.

Assuming the variables are defined in your dom0 script, then, i think this will work or is close:

qvm-run $qube_name --pass-io 'veracrypt --mount '"'""$vault_path""'"' -p '"'""$pwd""'"' --slot '"'""$slot""'"' --pim='"'""$pim""'"
  1. Use ’ for non-expandable/non-escapable string content.
  2. Use " for expandable/escapable (*, etc.) string content, but also to concatenate single quotes into the string.
  3. Use concatenation with no spaces between quoting such that it all comes across as a single string to the target shell. It took me forever to understand the utility of this “trick”.

The problem remains that if your password has shell expansion characters in it this will still fail.

A further trick is to incorporate this construct:

#Escapes all single quotes then surrounds string with a start and end single quote
esc() {
	printf "%s" "$1" | sed -e "s/'/'\"'\"'/g" -e "1s/^/'/" -e "\$s/\$/'/" 
}
# utilize the function so that we don't need to quote pwd.
esc_pwd=$(esc "${pwd}")

And then replace any usage of “$pwd” with $esc_pwd (no quotes on the latter, since they are now part of the string.

B

PS - If I took this approach, I would also want to investigate to see if there is any logging of qvm-run parameters anywhere, as you certainly do not want passwords logged.

1 Like

I’m encrypting the passwords in a password.txt file using openssl, sha512. Then using a salt-pass to decrypt and read into a variable for the script.

The script only has the salt-pass. But the password has to be read into a variable into memory.

I blank the password var after the vault opens.

Is there anywhere the password var held in RAM would log?

The top level vault that holds all the encrypted passward.txt files requires a direct password input into the Veracrypt GUI. At that point the other vaults are auto opened, using the encrypted password.txt files and the salt-pass.

If attacker can get into the top level vault, the vaults are further protected with keyfiles on removable media.

The risk I see is password logging somewhere I’m not aware of?

Can you imagine how the script variable held in RAM could end up in a log?