From owner-freebsd-security Tue Jun 29 9: 5: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from bsdserve1.comsite.net (bsdserve1.comsite.net [205.238.176.2]) by hub.freebsd.org (Postfix) with ESMTP id 8F6BA14C82 for ; Tue, 29 Jun 1999 09:05:02 -0700 (PDT) (envelope-from dave@comsite.net) Received: from localhost (dave@localhost) by bsdserve1.comsite.net (8.9.1/8.9.1) with SMTP id LAA11899; Tue, 29 Jun 1999 11:04:40 -0500 (CDT) Date: Tue, 29 Jun 1999 11:04:40 -0500 (CDT) From: dave To: Bill Fumerola Cc: Dag-Erling Smorgrav , "N.N.M" , freebsd-security@FreeBSD.ORG Subject: Re: A strange process In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Having the password on the command line is a huge security hole, BTW... Even if the program erases it from argv, there is still the time between when the program is invoked and when it erases argv when the password can be grabbed. A script doing nothing but ps would eventually grab one. On Tue, 29 Jun 1999, Bill Fumerola wrote: > On 29 Jun 1999, Dag-Erling Smorgrav wrote: > > > Bill Fumerola writes: > > > On Tue, 29 Jun 1999, N.N.M wrote: > > > > login -p zzzzzzzz > > > > > > The password given at the command line, however login 'hides' that > > > password in the process list so people snooping around don't catch it. > > > > No. 'man login'. > > Oh, well, that's what the mysql client does, I just made a guess. :> > > - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - > - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message