From owner-freebsd-security Tue Aug 11 16:37:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA28421 for freebsd-security-outgoing; Tue, 11 Aug 1998 16:37:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA28409 for ; Tue, 11 Aug 1998 16:37:04 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.8.8/8.8.8) id TAA14070; Tue, 11 Aug 1998 19:36:09 -0400 (EDT) (envelope-from wollman) Date: Tue, 11 Aug 1998 19:36:09 -0400 (EDT) From: Garrett Wollman Message-Id: <199808112336.TAA14070@khavrinen.lcs.mit.edu> To: andrew@squiz.co.nz Cc: "Mark J. Taylor" , freebsd-security@FreeBSD.ORG Subject: Re: Possible security "risk" in ftp client In-Reply-To: References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: >> The program "/usr/bin/fetch" does it better: use the environment >> variables FTP_LOGIN and FTP_PASSWORD. > Environment variables are not private. > If you need to pass passwords to a program and you don't want the shell > to see, and probably leak that information, you'll have to do it via stdin > or a file. As the HTTP implementation in fetch(1) will in fact do. I did not think it worth the (five minutes') effort to implement it for FTP. (But I should go back and implement the MD5-based password authentication mode for HTTP....) -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message