[Bug-wget] FAQ on hiding passwords from ps -f

Mon, 11 Mar 2013 09:53:12 -0700 

I was just glancing through wget’s FAQ today and noticed something odd
in the last entry,
http://wget.addictivecode.org/FrequentlyAskedQuestions#Is_there_a_way_to_hide_my_clear-text_user.2BAC8-pass_combo_from_the_process_table.3F
. It suggests that using the following will hide the password from “$ ps -f”:

    wget --post-data "os_password=$(read -s -p "Password: " pass && echo pass)" 
http://localhost/login";

First, as I expected, when I run that command and type “mypass” at the
prompt, it still passes “os_password=pass” to wget instead of
“os_password=mypass” (I used http://localhost:8081/):

    ohnobinki@gentoodcxdelllappy ~/atheme $ nc -l -p 8081
    POST /login HTTP/1.1
    User-Agent: Wget/1.14 (linux-gnu)
    Accept: */*
    Host: localhost:8081
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 16
    
    os_password=pass

To remedy this, naturally, the “echo pass” would be replaced with
“echo $pass” or “echo ${pass}”.

Secondly, the password still appears in “$ ps -f” (the process was
hanging around because I’m not very experienced at being an httpd so I
didn’t know what to say back to wget ;-)):

    ohnobinki@gentoodcxdelllappy ~/pcsx2-read-only $ ps -fe | grep -e wge[t]
    1000      6219  4180  0 10:20 pts/10   00:00:00 wget --post-data 
os_password=pass http://localhost:8081/login

Would someone be willing to explain why this method was supposed
thought to be a way of hiding a typed password from “$ ps -f”? The
suggested command is misleading and, because of the question it is
answering, the answer suggests that wget implements its own subshell
to dynamically calculate its parameters. Using shell-expansion is
(quite obviously, IMO) no way to hide parameters from “$ ps -f”. Thus,
I assumed that it must somehow not be shell-expansion until I
remembers that double-quotes purposefully do not inhibit shell
parameter expansion ;-). It might make sense if wget actually somehow
implemented sh’s read function and that the expansion happened inside
of the wget process the password would be hidden…

I think that the command should be revised to use --post-file. I think
that the “read -s -p pass; echo "os_password=${pass}" > sometempfile”
method will work OK *as long as echo is a shell built-in*.

-- 
binki

Look out for missing or extraneous apostrophes!

Attachment: pgpsakQkheu1Z.pgp
Description: PGP signature

Reply via email to