Re: sending password in the command line

To: Pedro Zorzenon Neto <pzn@terra.com.br>, debian-security@lists.debian.org
Subject: Re: sending password in the command line
From: Pedro Zorzenon Neto <pzn@terra.com.br>
Date: Thu, 27 Dec 2001 14:11:42 -0200
Message-id: <[🔎] 20011227161142.GA27615@mantis.autsens.localnet>
Reply-to: pzn@terra.com.br
In-reply-to: <[🔎] 20011227154645.GA1770@mortox>
References: <[🔎] 20011227152702.GA17956@mantis.autsens.localnet> <[🔎] 20011227154645.GA1770@mortox>

On Thu, Dec 27, 2001 at 04:46:45PM +0100, David Flatz wrote:
> Pedro Zorzenon Neto said:
> >       $ PASS="password" myprogram enable username IP
> > 
> >     then "myprogram" will read the PASS from the environment.
> >     is there anyway a regular user could capture passwords?
> 
> yes it is "ps auxe"
> 
> try getting the password via <stdin> like "mysql -p"
>

Thanks for you sugestion David,

  As it is a Perl script that will call the program, I'll do in the Perl
  code something like this:

  $tmp=`umask 177; tempfile`;
  fopen (PASS,">$tmp");
  print PASS $password;
  fclose PASS;
  `cat $tmp | myprogram enable $user $ip; rm -f $tmp`;

  will this be safe now?

  Thanks,
    Pedro

Reply to:

Follow-Ups:
- Re: sending password in the command line
  - From: David Flatz <david@upcs.at>
- Re: sending password in the command line
  - From: Pedro Zorzenon Neto <pzn@terra.com.br>
- Re: sending password in the command line
  - From: Johannes Weiss <weissi@tux4u.de>

References:
- sending password in the command line
  - From: Pedro Zorzenon Neto <pzn@terra.com.br>
- Re: sending password in the command line
  - From: David Flatz <david@upcs.at>

Prev by Date: Re: sending password in the command line
Next by Date: Re: sending password in the command line
Previous by thread: Re: sending password in the command line
Next by thread: Re: sending password in the command line
Index(es):
- Date
- Thread