On Fri, 5 Mar 1999, Sam wrote:
> One feature of PGP 2.6, at least, is that you can shove the passphrase
> into the PGPPASS environment variable.
Good gawd, no.
On a private machine, sure. But this information -can- be gotten to on
many UNIXen without a lot of trouble. Try this on any Solaris box (2.6
will do nicely):
/usr/ucb/ps -eax
Full dump of the environment for every process. Still feel safe?
This is why you see people going to great lengths to protect secret
cookies; look at how RTR Software did their FP extention suid piece to see
a good example of how to pass passwords in a safer manner (stdin).
(Before anyone jumps on me: I know that this information is private on
sane operating systems. I'm pointing out that it's a bad idea on a few
rather popular ones.)
--
Edward S. Marshall <[EMAIL PROTECTED]> [ What goes up, must come down. ]
http://www.logic.net/~emarshal/ [ Ask any system administrator. ]
Linux labyrinth 2.2.2-pre2 #2 Sun Feb 14 15:24:09 CST 1999 i586 unknown
8:00pm up 18 days, 20:36, 4 users, load average: 0.76, 0.31, 0.10
