Bugtraq mailing list archives

Re: ps information leak in FreeBSD

From: "Crist J. Clark" <crist.clark () attbi com>
Date: Tue, 7 Jan 2003 09:48:46 -0800

On Tue, Jan 07, 2003 at 09:18:00AM +0000, Jez Hancock wrote:
[snip]

It's annoying in that I see a lot of users running mysql with the -u and -p options:

mysql -u user -p mypassword

on the commandline, thinking that this info will not show up in ps listings when ps
is run by other users.  Ho hum...


Any program that asks for a password on the command line should have
the common decency to overwrite/obfuscate it, along the lines of,

        case 'p':
                passwd = optarg;
                optarg = "********";
                break;

So that it doesn't show up in any "ps" output.

Of course, there is still a window of vulnerability before the code is
executed, but any long-lived daemon has no excuse for not doing this.
-- 
Crist J. Clark                     |     cjclark () alum mit edu
                                   |     cjclark () jhu edu
http://people.freebsd.org/~cjc/    |     cjc () freebsd org

Current thread:

ps information leak in FreeBSD Cache (Jan 06)
- Re: ps information leak in FreeBSD Sean Kelly (Jan 06)
- Re: ps information leak in FreeBSD Jez Hancock (Jan 21)
  - Re: ps information leak in FreeBSD Sean Kelly (Jan 08)
  - Re: ps information leak in FreeBSD Crist J. Clark (Jan 21)
    - Re: ps information leak in FreeBSD Damien Miller (Jan 09)
    - Re: ps information leak in FreeBSD David M. Wilson (Jan 15)
- <Possible follow-ups>
- ps information leak in FreeBSD Cache (Jan 06)