[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-wget] FAQ on hiding passwords from ps -f
From: |
Nathan Phillip Brink |
Subject: |
[Bug-wget] FAQ on hiding passwords from ps -f |
Date: |
Mon, 11 Mar 2013 14:36:24 +0000 |
User-agent: |
Mutt/1.5.20 (2009-06-14) |
I was just glancing through wget’s FAQ today and noticed something odd
in the last entry,
http://wget.addictivecode.org/FrequentlyAskedQuestions#Is_there_a_way_to_hide_my_clear-text_user.2BAC8-pass_combo_from_the_process_table.3F
. It suggests that using the following will hide the password from “$ ps -f”:
wget --post-data "os_password=$(read -s -p "Password: " pass && echo pass)"
http://localhost/login"
First, as I expected, when I run that command and type “mypass” at the
prompt, it still passes “os_password=pass” to wget instead of
“os_password=mypass” (I used http://localhost:8081/):
address@hidden ~/atheme $ nc -l -p 8081
POST /login HTTP/1.1
User-Agent: Wget/1.14 (linux-gnu)
Accept: */*
Host: localhost:8081
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 16
os_password=pass
To remedy this, naturally, the “echo pass” would be replaced with
“echo $pass” or “echo ${pass}”.
Secondly, the password still appears in “$ ps -f” (the process was
hanging around because I’m not very experienced at being an httpd so I
didn’t know what to say back to wget ;-)):
address@hidden ~/pcsx2-read-only $ ps -fe | grep -e wge[t]
1000 6219 4180 0 10:20 pts/10 00:00:00 wget --post-data
os_password=pass http://localhost:8081/login
Would someone be willing to explain why this method was supposed
thought to be a way of hiding a typed password from “$ ps -f”? The
suggested command is misleading and, because of the question it is
answering, the answer suggests that wget implements its own subshell
to dynamically calculate its parameters. Using shell-expansion is
(quite obviously, IMO) no way to hide parameters from “$ ps -f”. Thus,
I assumed that it must somehow not be shell-expansion until I
remembers that double-quotes purposefully do not inhibit shell
parameter expansion ;-). It might make sense if wget actually somehow
implemented sh’s read function and that the expansion happened inside
of the wget process the password would be hidden…
I think that the command should be revised to use --post-file. I think
that the “read -s -p pass; echo "os_password=${pass}" > sometempfile”
method will work OK *as long as echo is a shell built-in*.
--
binki
Look out for missing or extraneous apostrophes!
pgptOXSCQNkPS.pgp
Description: PGP signature
- [Bug-wget] FAQ on hiding passwords from ps -f,
Nathan Phillip Brink <=