Date: Tue, 11 Aug 1998 15:54:29 -0700 (PDT) From: Archie Cobbs <archie@whistle.com> To: mtaylor@cybernet.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: Possible security "risk" in ftp client Message-ID: <199808112254.PAA24554@bubba.whistle.com> In-Reply-To: <XFMail.980811163822.mtaylor@cybernet.com> from "Mark J. Taylor" at "Aug 11, 98 04:38:22 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Mark J. Taylor writes: > The neat-o FTP client program in FreeBSD "/usr/bin/ftp" has a > cool but horrible feature: you can specify the user name and > password to use via the command line (in the URL), as in: > /usr/bin/ftp ftp://myname@mypass/ftp.freebsd.org/ > > This is actually quite bad: any "ps -ax" will show the username > and password. Using setproctitle(3) would be an attempt to close > this, but it would create a race condition. IMHO, a stern warning in the man page is warranted, but nothing more... -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808112254.PAA24554>