On Fri, Dec 6, 2013 at 8:07 AM, Paul de Weerd <[email protected]> wrote: > On Fri, Dec 06, 2013 at 07:41:17AM -0430, Andres Perera wrote: > | On Fri, Dec 6, 2013 at 7:09 AM, Paul de Weerd <[email protected]> wrote: > | > On Fri, Dec 06, 2013 at 06:59:02AM -0430, Andres Perera wrote: > | > | with C you can be very explicit about where you store and when you zero > out > | > > | > with shell you can be very explicit about where you store and when you > | > zero out > | > | well, > | > | instead of `read PASSWORD', the code could've stored the password in a > | file > > Oh really? How then, pray tell, would you've gotten the PASSWORD in > that file? How do you get input from the user and store it in a file, > without using read in a shell script?
you use cat, muffin face: ... STTY=`stty -g` echo -n "Password: " stty -echo cat > PASSWORD_FILE_DONT_READ_IF_YOU_ARE_OTHER_PROCESS_PLS stty "$STTY" ... openssl -d ... < PASSWORD_FILE_DONT_READ_IF_YOU_ARE_OTHER_PROCESS_PLS > > | pipe it to openssl for unlocking, and rm -P that along with the > | cleartext version of the db, avoiding problems w/transporting with a > | possibly external printf that broadcasts in ps(1), or a tmpfile-backed > | heredoc > > Naddy's original post didn't use printf, it used echo. It didn't use > a tmpfile-backed heredoc, it piped in the password to openssl's stdin > using the builtin echo. You're describing problems that could've been > if Naddy had been more clumsy. But he wasn't, Naddy didn't do any of > that. > > Here's something else Naddy could've done (but didn't): He could've > put the password on a public website and used ftp -o - to pass it into > openssl. He didn't do something stupid like that. Suggesting this > and arguing against it contributes nothing. So I don't. > > You are arguing about things that didn't happen. You're not > contributing anything of value either. The problem with you is that > you think you did... why did i use printf or heredoc? what happens if a password contains the subtring "\r" when you echo it? does "naddy" feel comfortable with the brittle dependency of echo being a builtin, and does everybody else? why are you such a retard? > > | this way you are explicit, also reusing logic already present > | > | it's still clumsy way of cleartext store, and exposes the file to > | other user processes > | > | on the other hand, ptrace() means memory is exposed to other user processes > | > | so, you are still being a silly person and i don't feel like stressing > | that further > | > | > > | > | with shell it's easy to be clumsy in this particular domain > | > > | > with C it's easy to be clumsy in this particular domain > | > > | > > | > What you said is true, sure, but it also holds the other way around. > | > | what you said is like reading a book of chinese sayings; ie you > | contributed nothing > | > | > > | > Paul 'WEiRD' de Weerd > | > > | > -- > | >>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+ > | > +++++++++++>-]<.>++[<------------>-]<+.--------------.[-] > | > http://www.weirdnet.nl/ > | > > -- >>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+ > +++++++++++>-]<.>++[<------------>-]<+.--------------.[-] > http://www.weirdnet.nl/
