Indeed, ps does not show the command line args of the dsmadmc process.
(I did not check it before posting...). So the TSM developpers did a better
job that de oracle guys; given userid/passwd as argument to sqlplus does
not hide it in the ps output (just checked this...)
However, the way this works is that dsmadmc just 'clears' the arguments
passed to it. This means there is a small race condition. If you are quick
enough you can see the passwords. Using the following script:
#!/bin/ksh
while true; do
ps -ef | grep dsmadmc | grep -v grep
done
Lets name this greptsm and running this in the background
# ./greptsm > /tmp/greptsm.log &
and running some dsmadmc commands from the commandline
(I created a test user with passowrd test) quickly shows
some useful info:
root 21050 21448 3 12:04:13 pts/0 0:00 dsmadmc
root 21050 21448 0 12:04:13 pts/0 0:00 [dsmadmc]
root 15500 21448 0 12:04:14 pts/0 0:00 [dsmadmc]
root 28996 21448 1 12:04:15 pts/0 0:00 dsmadmc -id=test -pa=test q act
begint=-00:01
root 28996 21448 4 12:04:15 pts/0 0:00 dsmadmc
root 28996 21448 4 12:04:15 pts/0 0:00 dsmadmc
root 28996 21448 4 12:04:15 pts/0 0:00 dsmadmc
root 28996 21448 5 12:04:15 pts/0 0:00 dsmadmc
So your'e save most of the times, but if you have some time to kill
it can easily be done... (this was tested on a AIX 5.1 system)
-Marcel
On Tue, May 27, 2003 at 02:58:45PM -0700, Alex Paschal wrote:
> Actually, it doesn't show on AIX 5.2 or AIX 4.3.3. I can't speak for any
> other OS's or client levels.
>
> Alex Paschal
> Freightliner, LLC
> (503) 745-6850 phone/vmail
>
> alex /home/alex $ dsmadmc -id=myid -pa=mypass
> Tivoli Storage Manager
> Command Line Administrative Interface - Version 5, Release 1, Level 5.2
> (C) Copyright IBM Corporation 1990, 2002 All Rights Reserved.
>
> Session established with server CORPTSM: AIX-RS/6000
> Server Version 5, Release 1, Level 5.4
> Server date/time: 05/27/03 14:52:24 Last access: 05/27/03 14:48:43
>
>
> tsm: CORPTSM>[1] + Stopped (SIGTSTP) dsmadmc -id=reports -pa=reports
> alex /home/alex $ ps -ef | grep dsm
> alex 24742 20888 0 14:54:06 pts/6 0:00 dsmadmc
> alex 33486 20888 2 14:54:10 pts/6 0:00 grep dsm
> alex /home/alex $ fg
> dsmadmc -id=reports -pa=reports
> quit
>
> ANS8002I Highest return code was 0.
>
> alex /home/alex $ r ps
> ps -ef | grep dsm
> alex 33488 20888 2 14:54:19 pts/6 0:00 grep dsm
> alex /home/alex $
>
> -----Original Message-----
> From: Marcel J.E. Mol [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, May 27, 2003 1:42 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Clear text passwords. Was: Automating dsmserv
>
>
> On Tue, May 27, 2003 at 04:06:32PM -0400, Stephen E. Bacher wrote:
> > Justin Bleistein <[EMAIL PROTECTED]> wrote:
> >
> > >any alternatives to running: "dsmserv" via batch mode with the:
> > >
> > >dsmadmc -id=login -pass=password syntax...
> > >
> > >I mean it's passwords in clear text so all someone has to do is cat that
> > >file and your exposed... Any ideas on how to automate the client-server
> > >interface (dsmadmc) without displaying the password anywhere?. Thanks!.
> >
> > A slight improvement on security would be something like:
> >
> > dsmadmc -id=login -pass=`cat /private/tsm/password.txt`
>
> As a normal user on this system do "ps -ef | grep dsm" and you'll
> see the result of `cat /private/tsm/password.txt` ...
>
> -Marcel
> --
> ======-------- Marcel J.E. Mol MESA Consulting
> B.V.
> =======--------- ph. +31-(0)6-54724868 P.O. Box 112
> =======--------- [EMAIL PROTECTED] 2630 AC Nootdorp
> __==== www.mesa.nl ---____U_n_i_x______I_n_t_e_r_n_e_t____ The Netherlands
> ____
> They couldn't think of a number, Linux user 1148 --
> counter.li.org
> so they gave me a name! -- Rupert Hine -- www.ruperthine.com
--
======-------- Marcel J.E. Mol MESA Consulting B.V.
=======--------- ph. +31-(0)6-54724868 P.O. Box 112
=======--------- [EMAIL PROTECTED] 2630 AC Nootdorp
__==== www.mesa.nl ---____U_n_i_x______I_n_t_e_r_n_e_t____ The Netherlands ____
They couldn't think of a number, Linux user 1148 -- counter.li.org
so they gave me a name! -- Rupert Hine -- www.ruperthine.com
