Re: [dev] [ii] exposed password on process monitoring

From: Nico Golde <nico_AT_ngolde.de>
Date: Fri, 20 Apr 2012 01:19:14 +0200

Hi,
* Connor Lane Smith <cls_AT_lubutu.com> [2012-04-19 18:51]:
> On 19 April 2012 17:24, Ivan Kanakarakis <ivan.kanak_AT_gmail.com> wrote:
> > I was thinking in having -k with no argument to go search for a file
> > like oftc.passwd and grab the password from there.
>
> How about making 'ii -k -' read the password from stdin? Flags with
> optional arguments are bad, imo.

I don't really like putting that in a file. I'm more in favor of something
simpler as the following currently:
diff -r d163c8917af7 ii.c
--- a/ii.c Mon Oct 31 21:35:12 2011 +0100
+++ b/ii.c Fri Apr 20 01:18:31 2012 +0200
_AT_@ -460,7 +460,7 @@
        int i;
        unsigned short port = SERVER_PORT;
        struct passwd *spw = getpwuid(getuid());
- char *key = NULL, *fullname = NULL;
+ char *key = getenv("II_KEY"), *fullname = NULL;
        char prefix[_POSIX_PATH_MAX];

        if(!spw) {

If if you don't want to leak your password use the environment variable and not -k then...

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion_AT_jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

Received on Fri Apr 20 2012 - 01:19:14 CEST

This archive was generated by hypermail 2.3.0 : Fri Apr 20 2012 - 01:24:05 CEST