Date: Tue, 11 Aug 1998 20:45:13 -0400 From: Garance A Drosihn <drosih@rpi.edu> To: mtaylor@cybernet.com, freebsd-security@FreeBSD.ORG Subject: Re: Possible security "risk" in ftp client Message-ID: <v0401170ab1f689b6389e@[128.113.24.47]> In-Reply-To: <XFMail.980811163822.mtaylor@cybernet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 4:38 PM -0400 8/11/98, Mark J. Taylor wrote: > This is actually quite bad: any "ps -ax" will show the username > and password. Using setproctitle(3) would be an attempt to close > this, but it would create a race condition. > > The program "/usr/bin/fetch" does it better: use the environment > variables FTP_LOGIN and FTP_PASSWORD. I guess you haven't tried 'ps -axeww' very often... At the very least, it does sound like a good idea to have the ftp client call setproctitle (or whatever) to reduce the security exposure of the current behavior, but changing it to use environment variables would be a step backwards... --- Garance Alistair Drosehn = gad@eclipse.its.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?v0401170ab1f689b6389e>