Date: Wed, 12 Aug 1998 12:21:10 -0400 From: Louis Theran <k@yt.to> To: freebsd-security@FreeBSD.ORG Subject: Re: Possible security "risk" in ftp client Message-ID: <19980812122110.A1446@yt.to> In-Reply-To: <XFMail.980811163822.mtaylor@cybernet.com>; from Mark J. Taylor on Tue, Aug 11, 1998 at 04:38:22PM -0400 References: <XFMail.980811163822.mtaylor@cybernet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Aug 11, 1998 at 04:38:22PM -0400, Mark J. Taylor wrote: > > The neat-o FTP client program in FreeBSD "/usr/bin/ftp" has a > cool but horrible feature: you can specify the user name and > password to use via the command line (in the URL), as in: > /usr/bin/ftp ftp://myname@mypass/ftp.freebsd.org/ > > This is actually quite bad: any "ps -ax" will show the username > and password. Using setproctitle(3) would be an attempt to close > this, but it would create a race condition. > > The program "/usr/bin/fetch" does it better: use the environment > variables FTP_LOGIN and FTP_PASSWORD. That is even worse, since you can still use ps axeww to see the environment, and people tend to leave the env vars set all the time. ^L -- Louis Theran "Te occidere possunt, sed te edere non possunt nefas quo est." PGP welcome; key at: k-pgpkey@yt.to To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980812122110.A1446>