On Sun, Jun 27, 2004 at 12:00:55AM +0300, Shaul Karl wrote: > when one issues > > some_command -p password > > the password will be shown by ps and probably in other places, like > /proc. > > > 1. What is the full list of places where the password will be shown?
Basically, /proc/PID/cmdline It will also reside in the command-line history file (e.g: ~/.bash_history) , if ran directly. Most of hte workarounds you suggest indeed will not get it into the history . > > 2. How to hide it? If you want to hide it from other users, you can try a patch that tightens the permissions under /proc . There are a number of such patches hanging around . I personally like the Openwall linux patch, that includes this, among others. http://openwall.com/linux/ But this will not hide it from other processes that run by the same user or by root. > 2.1 I googled a bit and saw 2 main methods: > 2.1.1 By using a here document: > > some_command <<EOF > -p password > EOF > > Will this method hide the password completely? That is, will it be > hidden from all the places that were mentioned in section 1 above? cmdline of that process will still have '-p password' > 2.1.2 By making the command line long enough so that the password will > be effectively hidden from ps. I didn't like that method. cat /proc/PID/cmdline will still show it. > 2.1.3 Anything else? > 2.2 When the source for command is under control, what is the best way > to hide the password while still being able to read it in the > command line? An almost direct answer: pass it through the environment instead. Problem: the process's environment is basically just as readlble as the command-line. > 2.2.1 A method which slightly deviates from the requirement is to make > the program able to read parameters from a file. Beside the need > to handle this file, what are the drawbacks? Not sure. This is how it's done with smbmount . > 2.2.2 What about > printf "-p password" | some_command - > ? cmdline of that process will still have '-p password' -- Tzafrir Cohen +---------------------------+ http://www.technion.ac.il/~tzafrir/ |vim is a mutt's best friend| mailto:[EMAIL PROTECTED] +---------------------------+ ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
