Bugtraq mailing list archives
Re: ps information leak in FreeBSD
From: "Crist J. Clark" <crist.clark () attbi com>
Date: Tue, 7 Jan 2003 09:48:46 -0800
On Tue, Jan 07, 2003 at 09:18:00AM +0000, Jez Hancock wrote: [snip]
It's annoying in that I see a lot of users running mysql with the -u and -p options: mysql -u user -p mypassword on the commandline, thinking that this info will not show up in ps listings when ps is run by other users. Ho hum...
Any program that asks for a password on the command line should have the common decency to overwrite/obfuscate it, along the lines of, case 'p': passwd = optarg; optarg = "********"; break; So that it doesn't show up in any "ps" output. Of course, there is still a window of vulnerability before the code is executed, but any long-lived daemon has no excuse for not doing this. -- Crist J. Clark | cjclark () alum mit edu | cjclark () jhu edu http://people.freebsd.org/~cjc/ | cjc () freebsd org
Current thread:
- ps information leak in FreeBSD Cache (Jan 06)
- Re: ps information leak in FreeBSD Sean Kelly (Jan 06)
- Re: ps information leak in FreeBSD Jez Hancock (Jan 21)
- Re: ps information leak in FreeBSD Sean Kelly (Jan 08)
- Re: ps information leak in FreeBSD Crist J. Clark (Jan 21)
- Re: ps information leak in FreeBSD Damien Miller (Jan 09)
- Re: ps information leak in FreeBSD David M. Wilson (Jan 15)
- <Possible follow-ups>
- ps information leak in FreeBSD Cache (Jan 06)