From owner-freebsd-security  Tue Aug 11 16:11:35 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA24193
          for freebsd-security-outgoing; Tue, 11 Aug 1998 16:11:35 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA24176
          for <freebsd-security@FreeBSD.ORG>; Tue, 11 Aug 1998 16:11:32 -0700 (PDT)
          (envelope-from andrew@squiz.co.nz)
Received: from localhost (andrew@localhost)
	by aniwa.sky (8.8.7/8.8.7) with SMTP id LAA17117;
	Wed, 12 Aug 1998 11:09:30 +1200 (NZST)
	(envelope-from andrew@squiz.co.nz)
Date: Wed, 12 Aug 1998 11:09:29 +1200 (NZST)
From: Andrew McNaughton <andrew@squiz.co.nz>
X-Sender: andrew@aniwa.sky
Reply-To: andrew@squiz.co.nz
To: "Mark J. Taylor" <mtaylor@cybernet.com>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: Possible security "risk" in ftp client
In-Reply-To: <XFMail.980811163822.mtaylor@cybernet.com>
Message-ID: <Pine.BSF.3.96.980812105007.16956A-100000@aniwa.sky>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 11 Aug 1998, Mark J. Taylor wrote:

> The neat-o FTP client program in FreeBSD "/usr/bin/ftp" has a
> cool but horrible feature:  you can specify the user name and
> password to use via the command line (in the URL), as in:
>   /usr/bin/ftp ftp://myname@mypass/ftp.freebsd.org/

Why on earth doesn't it use standard URL syntax?

ftp://username:pass@host/dir/dir/file



> This is actually quite bad: any "ps -ax" will show the username
> and password.  Using setproctitle(3) would be an attempt to close
> this, but it would create a race condition.

Also, it would not remove the password from ~/.history.

> The program "/usr/bin/fetch" does it better: use the environment
> variables FTP_LOGIN and FTP_PASSWORD.

Environment variables are not private.
 
> Is there any possibility of making a man page annotation that lists
> this "hole"?  And of getting in a patch that uses the environment?
> I can do the work, unless someone else would rather do it...

Passwords and other secure data should never appear on the command line
or in environment variables.  Mentioning this for every possible client is
a bit beside the point.

If you need to pass passwords to a program and you don't want the shell
to see, and probably leak that information, you'll have to do it via stdin
or a file.

Andrew


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message