From owner-freebsd-security Tue Jun 29 9:34: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 22A821534D for ; Tue, 29 Jun 1999 09:34:00 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.iserver.com; Tue, 29 Jun 1999 10:33:55 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1) id xma012617; Tue, 29 Jun 99 10:33:54 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.2) id KAA24302; Tue, 29 Jun 1999 10:33:02 -0600 (MDT) Date: Tue, 29 Jun 1999 10:33:02 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: dave Cc: freebsd-security@FreeBSD.ORG Subject: Re: A strange process In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 29 Jun 1999, dave wrote: > Having the password on the command line is a huge security hole, BTW... > Even if the program erases it from argv, there is still the time between > when the program is invoked and when it erases argv when the password can > be grabbed. A script doing nothing but ps would eventually grab one. > > login -p zzzzzzzz Uhh, are you thinking that "zzzzzzzz" is the password? Maybe I'm missing something but "man login" says: SYNOPSIS login [-fp] [-h hostname] [user] [...] -p By default, login discards any previous environment. The -p option disables this behavior. Wouldn't that mean that "zzzzzzzz" is a username? Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message