Re: cmd -p password. How the password can be hidden?

From: Tzafrir Cohen (tzafrir_at_nonexisting.hamakor.org.il)
Date: Sun 27 Jun 2004 - 00:32:34 IDT

• Next message: Alex Behar: "Re: cmd -p password. How the password can be hidden?"
• Previous message: Shaul Karl: "cmd -p password. How the password can be hidden?"
• In reply to: Shaul Karl: "cmd -p password. How the password can be hidden?"
• Next in thread: Alex Behar: "Re: cmd -p password. How the password can be hidden?"
• Reply: Alex Behar: "Re: cmd -p password. How the password can be hidden?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

On Sun, Jun 27, 2004 at 12:00:55AM +0300, Shaul Karl wrote:
> when one issues
>
> some_command -p password
>
> the password will be shown by ps and probably in other places, like
> /proc.
>
>
> 1. What is the full list of places where the password will be shown?

Basically, /proc/PID/cmdline

It will also reside in the command-line history file (e.g:
~/.bash_history) , if ran directly. Most of hte workarounds you suggest
indeed will not get it into the history .

>
> 2. How to hide it?

If you want to hide it from other users, you can try a patch that
tightens the permissions under /proc . There are a number of such
patches hanging around . I personally like the Openwall linux patch,
that includes this, among others. http://openwall.com/linux/

But this will not hide it from other processes that run by the same user
or by root.

> 2.1 I googled a bit and saw 2 main methods:
> 2.1.1 By using a here document:
>
> some_command <<EOF
> -p password
> EOF
>
> Will this method hide the password completely? That is, will it be
> hidden from all the places that were mentioned in section 1 above?

cmdline of that process will still have '-p password'

> 2.1.2 By making the command line long enough so that the password will
> be effectively hidden from ps. I didn't like that method.

cat /proc/PID/cmdline will still show it.

> 2.1.3 Anything else?
> 2.2 When the source for command is under control, what is the best way
> to hide the password while still being able to read it in the
> command line?

An almost direct answer: pass it through the environment instead.

Problem: the process's environment is basically just as readlble as the
command-line.

> 2.2.1 A method which slightly deviates from the requirement is to make
> the program able to read parameters from a file. Beside the need
> to handle this file, what are the drawbacks?

Not sure. This is how it's done with smbmount .

> 2.2.2 What about
> printf "-p password" | some_command -
> ?

cmdline of that process will still have '-p password'

-- 
Tzafrir Cohen                       +---------------------------+
http://www.technion.ac.il/~tzafrir/ |vim is a mutt's best friend|
mailto:tzafrir_at_technion.ac.il       +---------------------------+
=================================================================
To unsubscribe, send mail to linux-il-request_at_linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request_at_linux.org.il

• Next message: Alex Behar: "Re: cmd -p password. How the password can be hidden?"
• Previous message: Shaul Karl: "cmd -p password. How the password can be hidden?"
• In reply to: Shaul Karl: "cmd -p password. How the password can be hidden?"
• Next in thread: Alex Behar: "Re: cmd -p password. How the password can be hidden?"
• Reply: Alex Behar: "Re: cmd -p password. How the password can be hidden?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.7 : Sun 27 Jun 2004 - 00:46:17 IDT