sending password in the command line

To: debian-security@lists.debian.org
Subject: sending password in the command line
From: Pedro Zorzenon Neto <pzn@terra.com.br>
Date: Thu, 27 Dec 2001 13:27:02 -0200
Message-id: <[🔎] 20011227152702.GA17956@mantis.autsens.localnet>
Reply-to: pzn@terra.com.br

Hi Friends,

  I am developing a software to provide access control to users of a
  network.
  The gateway has ipchains rules to DENY packets from all 192.168.0.0/16
  hosts to the 0.0.0.0/0 world.

  If the user (a regular user, not root) does:

   $ myprogram enable username password IP

  the program checks the password in a internal database, and enable
  packets from the given IP to the 0/0 world. It also logs user/ip/date.

  if the user does:

   $ myprogram disable username password IP

  it disables the ipchains rules that were enabled before.

  The program seems to be working well.

  Now, here is my question:

    - everybody can capture the passwords with a "ps aux" command, ok?
    
    - what about doing this to prevent simple ps aux "sniff"

      $ PASS="password" myprogram enable username IP

    then "myprogram" will read the PASS from the environment.
    is there anyway a regular user could capture passwords?


  Thanks in advance,
  
    Pedro

Reply to:

Follow-Ups:
- Re: sending password in the command line
  - From: David Flatz <david@upcs.at>
- Re: sending password in the command line
  - From: xbud <xbud@g0thead.com>

Prev by Date: Re: Secure 2.4.x kernel
Next by Date: Re: sending password in the command line
Previous by thread: Re: Campus Computers
Next by thread: Re: sending password in the command line
Index(es):
- Date
- Thread