[28412] in bugtraq
Re: ps information leak in FreeBSD
daemon@ATHENA.MIT.EDU (Damien Miller)
Thu Jan 9 15:31:30 2003
Message-ID: <3E1CF10E.4030201@mindrot.org>
Date: Thu, 09 Jan 2003 14:48:30 +1100
From: Damien Miller <djm@mindrot.org>
MIME-Version: 1.0
In-Reply-To: <20030107174846.GA21090@blossom.cjclark.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
To: undisclosed-recipients:;undisclosed-recipients:;@MIT.EDU
Crist J. Clark wrote:
> Any program that asks for a password on the command line should have
> the common decency to overwrite/obfuscate it, along the lines of,
>
> case 'p':
> passwd = optarg;
> optarg = "********";
> break;
>
> So that it doesn't show up in any "ps" output.
That works only for OSs which support argv clobbering - it is by no
means portable and shouldn't be depended on for security.
-d
