From: Noam L. (noam_at_nonexisting.hamakor.org.il)
Date: Sun 27 Jun 2004 - 10:36:26 IDT
A program can cloak its commandline (or even have it cloacked for her)
An example: MySQL's client:
root_at_mail:/var/lib/mysql# mysql -uroot -pyeahrigh
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 506 to server version: 4.0.18-log
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql>
[on another terminal]
.
6093 pts/76 S 0:00 mysql -uroot -px xxxxxx
.
root_at_mail:/var/lib/mysql# cat /proc/6093/cmdline
mysql-uroot-pxxxxxxx
such program does that by editing its argv. it is also possible for it to be
done for a specific program, however problems may arise since that program
might still be using the modified argv in the future which can cause problems
if it's reading the password from it.
-- Regards, Noam L. Quoting Shaul Karl <shaulk_at_actcom.net.il>: > when one issues > > some_command -p password > > the password will be shown by ps and probably in other places, like > /proc. > > > 1. What is the full list of places where the password will be shown? > > 2. How to hide it? > 2.1 I googled a bit and saw 2 main methods: > 2.1.1 By using a here document: > > some_command <<EOF > -p password > EOF > > Will this method hide the password completely? That is, will it be > hidden from all the places that were mentioned in section 1 above? > 2.1.2 By making the command line long enough so that the password will > be effectively hidden from ps. I didn't like that method. > 2.1.3 Anything else? > 2.2 When the source for command is under control, what is the best way > to hide the password while still being able to read it in the > command line? > 2.2.1 A method which slightly deviates from the requirement is to make > the program able to read parameters from a file. Beside the need > to handle this file, what are the drawbacks? > 2.2.2 What about > printf "-p password" | some_command - > ? > 2.2.3 Anything else? > > -- > "If you have an apple and I have an apple and we exchange apples then > you and I will still each have one apple. But if you have an idea and I > have an idea and we exchange these ideas, then each of us will have two > ideas." -- George Bernard Shaw (sent by shaulk @ actcom . net . il) > > ================================================================= > To unsubscribe, send mail to linux-il-request_at_linux.org.il with > the word "unsubscribe" in the message body, e.g., run the command > echo unsubscribe | mail linux-il-request_at_linux.org.il ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. -Thank you horde!- ================================================================= To unsubscribe, send mail to linux-il-request_at_linux.org.il with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail linux-il-request_at_linux.org.il
This archive was generated by hypermail 2.1.7 : Sun 27 Jun 2004 - 10:55:41 IDT