A program can cloak its commandline (or even have it cloacked for her) An example: MySQL's client:
[EMAIL PROTECTED]:/var/lib/mysql# mysql -uroot -pyeahrigh Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 506 to server version: 4.0.18-log
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql>
[on another terminal] . 6093 pts/76 S 0:00 mysql -uroot -px xxxxxx . [EMAIL PROTECTED]:/var/lib/mysql# cat /proc/6093/cmdline mysql-uroot-pxxxxxxx
such program does that by editing its argv. it is also possible for it to be done for a specific program, however problems may arise since that program might still be using the modified argv in the future which can cause problems if it's reading the password from it.
-- Regards, Noam L.
Quoting Shaul Karl <[EMAIL PROTECTED]>:
when one issues
some_command -p password
the password will be shown by ps and probably in other places, like /proc.
1. What is the full list of places where the password will be shown?
2. How to hide it? 2.1 I googled a bit and saw 2 main methods: 2.1.1 By using a here document:
some_command <<EOF -p password EOF
Will this method hide the password completely? That is, will it be hidden from all the places that were mentioned in section 1 above? 2.1.2 By making the command line long enough so that the password will be effectively hidden from ps. I didn't like that method. 2.1.3 Anything else? 2.2 When the source for command is under control, what is the best way to hide the password while still being able to read it in the command line? 2.2.1 A method which slightly deviates from the requirement is to make the program able to read parameters from a file. Beside the need to handle this file, what are the drawbacks? 2.2.2 What about printf "-p password" | some_command - ? 2.2.3 Anything else?
-- "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw (sent by shaulk @ actcom . net . il)
================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. -Thank you horde!-
================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
