Re: [dev] FTP script: how to store password?

From: Rob <robpilling_AT_gmail.com>
Date: Sat, 9 Feb 2013 20:44:49 +0000

On Sat, Feb 09, 2013 at 01:41:26PM +0100, Hugues Moretto-Viry wrote:
> If I understand correctly, your demonstration works because it's like you
> added a parameter to an existing program.
> In my script, you can't use a parameter, I just use variables inside the
> script.
> So, ps -ax just shows the called script or the command used in the variable
> (here SQlite) and not the string.
>
> That's why I said I was unable to display the plain password (with SQlite I
> mean). :)

$ PASS=hello sleep 5 &
[1] 16667

$ pid=$!

$ ps ax | grep $pid
16667 pts/6 S 0:00 sleep 60

$ tr '\0' '\n' < /proc/$pid/environ | grep PASS
PASS=hello

Of course, the "attacker" would need read permission on /proc/$pid,
which is normally 600.


Rob
Received on Sat Feb 09 2013 - 21:44:49 CET

This archive was generated by hypermail 2.3.0 : Thu Feb 21 2013 - 19:17:24 CET