All geek questions in one place

Changing command line arguments so that they cannot be seen in ps outputs

I have an executable that accepts certain command line arguments. Any user on the machine can find the arguments by running ps (Unix) or procexp (Windows). Some of these arguments are things like passwords. I know that we should not pass passwords.

Is there any way in the code of the executable that I can change so that other users running ps / procexp cannot see the command line arguments used to run the executable?

I am sure that there is no platform-independent way for this, but even if there is some kind of API for each platform that will be a good starting point. I look forward to hearing any comments / suggestions or thoughts.

Hi,

Ash

+3
source share
8 answers

This example initgives me a segmentation error

This one, however, works:

int main(int argc, char *argv[])
{
    char * argv0 = argv[0];
    int i;
    size_t len;
    for (i = 0; i <argc; ++i)
    {
        len = strlen(argv[i]);
        memset(argv[i], 0, len);
    }
    strcpy(argv0, "Hey, can you see me?");
    for (;;);
    return 0;
}
+1
source

You are trying to make an unsafe solution a little safer. Why not just make it safer?

- , , . , - , . , ramdisk.

. , . , , .

+6

, argv, ps, , . , , .

( , ), , , ps. ( ) - /proc.

+3

, , . ps , meagar.

+2

, , , RPC. stdin - RPC , , , .

Windows, , , , , . , , .

, RPC- . , .

, .

+2

init , init ps.

int main(int argc, char * argv[]) {
   // process the arguments or make a copy of them
   // and then

   char * argv0 = argv[0];
   while (*argv++) {
      size_t len = strlen(*argv);
      memset(*argv, 0, len);
   }
   strcpy(argv0, "init");

, , * nix , . , , , , , , .

- ( , /proc/<pid>/environ, argv /proc/<pid>/cmdline Linux).

+1

If the password command line is used, you can run the program again and transfer this information to the second instance and kill the first, which will reduce the time during which the command line information will be presented.

The only good answer is to prevent them from passing information on the command line.

0
source

I usually read all sensitive data from stdin. For example, in isql (Sybase SQL shell) on Linux I am doing something like

isql -U username <<EOD
password
select * from whatever
go
0
source

Source: https://habr.com/ru/post/1767041/

More articles:


All Articles