Re: [dev] [ii] exposed password on process monitoring

From: pancake <pancake_AT_youterm.com>
Date: Sat, 16 Jun 2012 18:19:09 +0200

Prefix the 'echo' with a whitespace unless you want your password in the shell history.

Else use dev/stdin al password file and press ^D to end the password.

If you dump the process memory the password will still be there. So if the environ is a problem, the process memory it is too. So bear in mind to trash the data where the password is after using it.


On Saturday, June 16, 2012 at 4:44 PM, Calvin Morrison wrote:

> Ah how silly of me
> On Jun 16, 2012 8:06 AM, "Andrew Hills" <hills.as_AT_gmail.com (mailto:hills.as_AT_gmail.com)> wrote:
> > On Fri, Jun 15, 2012 at 7:14 PM, Calvin Morrison <mutantturkey_AT_gmail.com (mailto:mutantturkey_AT_gmail.com)> wrote:
> > > On Jun 15, 2012 6:13 PM, "Kurt H Maier" <khm-suckless_AT_intma.in (mailto:khm-suckless_AT_intma.in)> wrote:
> > >> On Fri, Jun 15, 2012 at 05:28:14PM -0400, Calvin Morrison wrote:
> > >> > Why not just pass the argument from a file?
> > >> >
> > >> > Exec --flag `cat password-file`
> > >> hahahah
> > > What is so funny?
> >
> > Try this for me: take the attached file, argv.c, and drop it
> > somewhere; find it, run "make argv", and then do something like:
> > $ echo secretpassword > passwordfile
> > $ ./argv `cat passwordfile`
> > Look at the output. If you haven't caught on yet, run ps or top and
> > look at the process. Make sense now?
> >
> > --Andrew Hills
Received on Sat Jun 16 2012 - 18:19:09 CEST

This archive was generated by hypermail 2.3.0 : Sat Jun 16 2012 - 18:24:05 CEST