Leaking Passwords into the Process List
Problem
ps may show passwords entered on the command line in the clear. For example:
$ ./cheesy_app -u user -p password & [1] 13301 $ ps PID TT STAT TIME COMMAND 5280 p0 S 0:00.08 -bash 9784 p0 R+ 0:00.00 ps 13301 p0 S 0:00.01 /bin/sh ./cheesy_app -u user -p password
Solution
Try really hard not to use passwords on the command line.
Discussion
Really. Don’t do that.
Many applications that provide a -p
or similar switch will also prompt you if a
password required and you do not provide it on the command line. That’s
great for interactive use, but not so great in scripts. You may be
tempted to write a trivial “wrapper” script or an alias to try and
encapsulate the password on the command line. Unfortunately, that won’t
work since the command is eventually run and so ends up in the process
list anyway. If the command can accept the password on STDIN, you may be
able to pass it in that way. That creates other problems, but at least
avoids displaying the password in the process list.
$ ./bad_app ~.hidden/bad_apps_password
If that won’t work, you’ll need to either find a new app, patch the one you are using, or just live with it.
Get bash Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.