All geek questions in one place

Shell script password protection command line options

If I use the password as a command line parameter, it will be published to the system using ps .

But if I am in a bash shell script and I am doing something like:

 ... { somecommand -p mypassword } ...

Will it still appear in the process list? Or is it safe?

  • What about subprocesses: (...)? Unsafe
  • coprocess?
+6
source share
4 answers

Command lines will always be visible (if only through / proc).

So, the only real solution: no. You can put it on stdin or dedicated fd:

 ./my_secured_process some parameters 3<<< " b@dP2ssword "

with a script like (simplicity first)

 #!/bin/bash cat 0<&3

(this sample would just reset the bad password in stdout)

Now all you need is:

  • MITM (fake scripts that take away a password, for example, using PATH substitution)
  • bash history saves your password on the command line (see HISTIGNORE for bash, for example.)
  • security script that contains password redirection
  • security of used tty; keyloggers; ... as you can see, we have now descended into the "general security principles"
+6
source

The called program can change its command line by simply overwriting argv as follows:

 #include <stdlib.h> #include <string.h> int main(int argc, char** argv) { int arglen = argv[argc-1]+strlen(argv[argc-1])+1 - argv[0]; memset(argv[0], arglen, 0); strncpy(argv[0], "secret-program", arglen-1); sleep(100); }

Testing:

 $ ./a.out mySuperPassword & $ ps -f UID PID PPID C STIME TTY TIME CMD me 20398 18872 0 11:26 pts/3 00:00:00 bash me 20633 20398 0 11:34 pts/3 00:00:00 secret-program me 20645 20398 0 11:34 pts/3 00:00:00 ps -f $

UPD: I know that it is not completely safe and can cause racial conditions, but many programs that accept a password from the command line do this trick.

+3
source

How to use a file descriptor:

 env -i bash --norc # clean up environment set +o history read -s -p "Enter your password: " passwd exec 3<<<"$passwd" mycommand <&3 # cat /dev/stdin in mycommand

See:

Hiding secrecy from a command line switch on Unix

+3
source

The only way to avoid being displayed in the process list is to override all the functionality of the program you want to call in pure Bash functions. Function calls are not separate processes. This is usually not possible.

0
source

Source: https://habr.com/ru/post/892210/

More articles:


All Articles