-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 27 June 2004 00:32, Tzafrir Cohen wrote: > On Sun, Jun 27, 2004 at 12:00:55AM +0300, Shaul Karl wrote: > > when one issues > > > > some_command -p password > > > > the password will be shown by ps and probably in other places, like > > /proc. > > > > > > 1. What is the full list of places where the password will be shown? > > Basically, /proc/PID/cmdline > > It will also reside in the command-line history file (e.g: > ~/.bash_history) , if ran directly. Most of hte workarounds you suggest > indeed will not get it into the history . > > > 2. How to hide it? > > If you want to hide it from other users, you can try a patch that > tightens the permissions under /proc . There are a number of such > patches hanging around . I personally like the Openwall linux patch, > that includes this, among others. http://openwall.com/linux/ > > But this will not hide it from other processes that run by the same user > or by root. >
If you are coding the app itself, you can try overwriting argv. Although, there will be a small race condition there. This method is mostly used by nessus (command line) and smbmount. > > 2.1 I googled a bit and saw 2 main methods: > > 2.1.1 By using a here document: > > > > some_command <<EOF > > -p password > > EOF > > > > Will this method hide the password completely? That is, will it be > > hidden from all the places that were mentioned in section 1 above? > > cmdline of that process will still have '-p password' > > > 2.1.2 By making the command line long enough so that the password will > > be effectively hidden from ps. I didn't like that method. > > cat /proc/PID/cmdline will still show it. > > > 2.1.3 Anything else? > > 2.2 When the source for command is under control, what is the best way > > to hide the password while still being able to read it in the > > command line? > > An almost direct answer: pass it through the environment instead. > > Problem: the process's environment is basically just as readlble as the > command-line. Good point. ps auxe and /proc/self/environ. > > > 2.2.1 A method which slightly deviates from the requirement is to make > > the program able to read parameters from a file. Beside the need > > to handle this file, what are the drawbacks? > None that I know of. I keep my smb passwords (on the workstation:) in the fstab, chmodded 640. > Not sure. This is how it's done with smbmount . > > > 2.2.2 What about > > printf "-p password" | some_command - > > ? > > cmdline of that process will still have '-p password' Incorrect. Only the current task at hand will be shown in the process list. There is still the history issue. You can also try cat | some_command -, and when you are done typing the password you can press CTRL+D. Note that this approach will also send a new line after the password itself. If it is not anything you coded, and you need the password entered into stdin, you can also use expect(1). Best regards, Alex - -- The difference between theory and practice, is that in theory, there is no difference between theory and practice. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA3i8WfDQ3s2iW3q0RAsdRAKCrlLf4Yq6cNwvV6p3nRjcOJQKdqACfd4OX I31foBHzxyfbDsUd+ZUnpi8= =vrm5 -----END PGP SIGNATURE----- ================================================================To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
