From owner-freebsd-security  Tue Aug 11 15:55:05 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA21833
          for freebsd-security-outgoing; Tue, 11 Aug 1998 15:55:05 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from whistle.com (s205m131.whistle.com [207.76.205.131])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA21821
          for <freebsd-security@FreeBSD.ORG>; Tue, 11 Aug 1998 15:55:03 -0700 (PDT)
          (envelope-from archie@whistle.com)
Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id PAA18418; Tue, 11 Aug 1998 15:54:36 -0700 (PDT)
Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3)
	id sma018416; Tue Aug 11 15:54:29 1998
Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id PAA24554; Tue, 11 Aug 1998 15:54:29 -0700 (PDT)
From: Archie Cobbs <archie@whistle.com>
Message-Id: <199808112254.PAA24554@bubba.whistle.com>
Subject: Re: Possible security "risk" in ftp client
In-Reply-To: <XFMail.980811163822.mtaylor@cybernet.com> from "Mark J. Taylor" at "Aug 11, 98 04:38:22 pm"
To: mtaylor@cybernet.com
Date: Tue, 11 Aug 1998 15:54:29 -0700 (PDT)
Cc: freebsd-security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL38 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Mark J. Taylor writes:
> The neat-o FTP client program in FreeBSD "/usr/bin/ftp" has a
> cool but horrible feature:  you can specify the user name and
> password to use via the command line (in the URL), as in:
>   /usr/bin/ftp ftp://myname@mypass/ftp.freebsd.org/
> 
> This is actually quite bad: any "ps -ax" will show the username
> and password.  Using setproctitle(3) would be an attempt to close
> this, but it would create a race condition.

IMHO, a stern warning in the man page is warranted, but nothing
more...

-Archie

___________________________________________________________________________
Archie Cobbs   *   Whistle Communications, Inc.  *   http://www.whistle.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message