[28515] in bugtraq
Re: ps information leak in FreeBSD
daemon@ATHENA.MIT.EDU (Crist J. Clark)
Tue Jan 21 02:13:10 2003
Date: Tue, 7 Jan 2003 09:48:46 -0800
From: "Crist J. Clark" <crist.clark@attbi.com>
To: bugtraq@securityfocus.com, Cache <cache@sowatech.com.pl>
Message-ID: <20030107174846.GA21090@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030107091800.GC56102@users.munk.nu>
On Tue, Jan 07, 2003 at 09:18:00AM +0000, Jez Hancock wrote:
[snip]
> It's annoying in that I see a lot of users running mysql with the -u and -p options:
>
> mysql -u user -p mypassword
>
> on the commandline, thinking that this info will not show up in ps listings when ps
> is run by other users. Ho hum...
Any program that asks for a password on the command line should have
the common decency to overwrite/obfuscate it, along the lines of,
case 'p':
passwd = optarg;
optarg = "********";
break;
So that it doesn't show up in any "ps" output.
Of course, there is still a window of vulnerability before the code is
executed, but any long-lived daemon has no excuse for not doing this.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
