On Thu, Mar 11, 2021 at 09:49:03PM +0200, Otto Kekäläinen <o...@debian.org>
wrote:
> Thanks for looking into this and reporting it. Could you be a bit more
> specific what the context is, who can view the command?
This is a rather old and wlel-known type of security issue.
Typically any local user can view the password. This data is also often
exposed in monitoring output, http status pages, smtp and so on.
The comandline and environment are simply the wrong places to expose
secret data - passwords should never be shown on screen in cleartext.
(That includes the environment, btw. storing secrets in environment
variables is similarly insecure).
> How do you suggest the password would be passed?
The typical method that is employed in practise is passing it via a file
descriptor. A bit less secure is using a (non-world-readable) file, e.g.
using --defaults-extra-file.
--
The choice of a Deliantra, the free code+content MORPG
-----==- _GNU_ http://www.deliantra.net
----==-- _ generation
---==---(_)__ __ ____ __ Marc Lehmann
--==---/ / _ \/ // /\ \/ / schm...@schmorp.de
-=====/_/_//_/\_,_/ /_/\_\
