Dropping the password requirement for running CiviCRM via the command line
Thanks to successful Make It Happen on consolidated cron jobs, we can set just one cron job per site.
As described in the docs, you can set this cron job using either an "URL" method or a "CLI" method.
The URL method uses wget or curl to mimic a web page request as if it was made anonymously over the Internet. With this method, we certainly want to require a password to avoid having anonymous users hitting your cron job (which could be a vector for a denial of service attack). And, CiviCRM rightly requires this password, refusing to run if it is missing or incorrect.
However, why are we requiring a password when using the cli method?
If you have command line access to a CiviCRM install and you have read-access to the civicrm.settings.php file, you already have full access to the database.
If we require users type a password when they run their cli commands, it will in fact reduce security because:
- It encourages users to put plain-text passwords in their cron jobs
- For users who run the cli commands manually, it encourages them to use short or easy to remember passwords to make it more convenient
- Passwords provided directly on the command line are leaked to any other user on the system who can run ps to see running commands
There is a need to specify what user a cron job should be run as - however, the current cli.php implementation could provide for the ability to specify a user without a password.
What do others think? Am I missing anything? As a security issue, it's best to be safe!