Hello,
I'm using os.system() to invoke some openssl command from my ubuntu box. I specify password in line so it looks like:
//python code
os.system("openssl enc -aes-256-cbc ... -k password")
I need to know if is possible to track this command in some shell / bash history file (as it is possible if I type this command into terminal directly, so basically I'm asking if password handling is secure that way)
No, bash only logs commands that are entered interactively.
Commands executed through os.system are not logged anywhere.
No, it does not, however on a multiuser box, passing passwords via command-line parameters is considered bad for security, as other users can (in principle) see them via "ps" etc.
Passing the password via a file descriptor (e.g. stdin) or environment variable is immune to this attack; most programs have support for one of these methods instead. If it bothers you, consider using one of those.
While the arguments are not logged (only interactive commands are logged, and that's in a file that is stored with correct permissions in your home directory) there is still a real danger with passing passwords. Both the command line arguments and the environment variables are visible to all users of the machine who use ps with the correct options. The exact options to do this vary between OSes, so check your local documentation (on OSX, it's ps -wwaxE that spills the beans).
The safe way to pass the password in is either via a pipe and the -pass stdin option to openssl (-k is insecure and obsolete) or via a file with carefully-set permissions and the -pass file:pathname option (replacing pathname with the name of the file, of course). You could also use -pass fd:number but I don't know how easy that is to fit with os.system. All the above are secure (possibly with care) because you can't peek inside pipes and you can properly secure the filesystem.
Of course, once you've taken these steps to secure your invocation of openssl, whether or not it is logged won't matter; it will be secure anyway.