On Fri, Dec 6, 2013 at 7:09 AM, Paul de Weerd <[email protected]> wrote: > On Fri, Dec 06, 2013 at 06:59:02AM -0430, Andres Perera wrote: > | with C you can be very explicit about where you store and when you zero out > > with shell you can be very explicit about where you store and when you > zero out
well, instead of `read PASSWORD', the code could've stored the password in a file, pipe it to openssl for unlocking, and rm -P that along with the cleartext version of the db, avoiding problems w/transporting with a possibly external printf that broadcasts in ps(1), or a tmpfile-backed heredoc this way you are explicit, also reusing logic already present it's still clumsy way of cleartext store, and exposes the file to other user processes on the other hand, ptrace() means memory is exposed to other user processes so, you are still being a silly person and i don't feel like stressing that further > > | with shell it's easy to be clumsy in this particular domain > > with C it's easy to be clumsy in this particular domain > > > What you said is true, sure, but it also holds the other way around. what you said is like reading a book of chinese sayings; ie you contributed nothing > > Paul 'WEiRD' de Weerd > > -- >>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+ > +++++++++++>-]<.>++[<------------>-]<+.--------------.[-] > http://www.weirdnet.nl/
