On 12/06/13 07:50, Andres Perera wrote:
On Fri, Dec 6, 2013 at 1:58 AM, Jan Stary <[email protected]> wrote:
On Dec 05 19:09:05, [email protected] wrote:
but then if the shell implementation uses tmpfiles for heredoc,
does it?
ksh does:
~ $ :<<! &
$(sleep 100)
!
[1] 469
~ $ ls /tmp/sh*
/tmp/shsWf2OXAO
src/bin/ksh/exec.c r1.50:
/* Create temp file to hold content (done before newenv so temp
* doesn't get removed too soon).
*/
h = maketemp(ATEMP, TT_HEREDOC_EXP, &e->temps);
and
doesn't do the equivalent of rm -P, you have another leak you thought
was taken care of
conclusion: shell is not good for this
Yeah right.
Who would even think of doing this in shell.
apparently at least one person did
you aren't in sync with the quantity of real world shells that use
temp files for heredoc, and who feature combinations of { printf
(not)? being a builtin, alternatives like ``print'' and ``echo'' are
unportable }
You do point out some interesting apects. I've used the heredoc approach
without considering if my shell used tempfiles or not, but I'm usually
mostly concerned about stuff not going on the command line.
However one decides for onself where to draw the line. There are
probably tons of leaks, even if you write your own code.
X, xterm, vi, clipboard, ...
/Alexander
even if it keeps heredocs in memory you have no idea if it zeros it
out afterwards
On Thu, Dec 5, 2013 at 6:57 PM, Andres Perera <[email protected]> wrote:
On Thu, Dec 5, 2013 at 8:57 AM, Christian Weisgerber <[email protected]> wrote:
Zé Loff <[email protected]> wrote:
Not sure how advisable this is, but I'm using a gpg encrypted file,
which I keep somewhere hidden (just because). Just put them in file
foo and do 'gpg -e foo' (assuming you've already setup gpg). When you
need to look something up just do 'gpg -d foo' and the file gets
decrypted to stdout.
*takes a deep breath*
~/bin/pwsafe
--------------->
#!/bin/sh
SAFE=$HOME/.pwsafe
TMPFILE=`mktemp /tmp/pwsafeXXXXXXXXXX` || exit 1
trap 'rm -P "$TMPFILE"' 0 1 2 15
STTY=`stty -g`
echo -n "Password: "
stty -echo
read PASSWORD
stty "$STTY"
set -e
echo -n "$PASSWORD" | openssl aes-256-cbc -d -in "$SAFE" -out "$TMPFILE" -pass
stdin
this is tricky. some people will read and say ok i'll switch echo for
printf and get on w/my life
printf not being a builtin, will show up in ps(1), and so will $PASSWORD
not apparent from the simple syntax used that such a change could end
up leaking important things
it's better to use heredoc:
openssl aes-256-cbc -d -in "$SAFE" -out "$TMPFILE" -pass stdin <<!
$PASSWORD
!
${EDITOR-${VISUAL-vi}} "$TMPFILE"
echo -n "$PASSWORD" | openssl aes-256-cbc -in "$TMPFILE" -out "$SAFE" -pass
stdin
<---------------
--
Christian "naddy" Weisgerber [email protected]
