Comments on: Hiding arguments from ps http://www.netsplit.com/2007/01/10/hiding-arguments-from-ps/ Just another WordPress weblog Fri, 21 Nov 2008 13:24:52 +0000 http://wordpress.org/?v=2.6.3 By: Tinus http://www.netsplit.com/2007/01/10/hiding-arguments-from-ps/#comment-145 Tinus Fri, 12 Jan 2007 17:03:32 +0000 #comment-145 Note that this is not useful as a security feature, as there will always be a period where the arguments are visible. An attacker can extend this period at will, by keeping the system busy in the right way. The purpose of the feature is to differentiate between processes, like the sendmail processes. You can see which one is the queuerunner, and which one is responsible for answering to the network. If your arguments contain secrets, you're doing something wrong. Just about any program that accepts passwords on the command line also accepts passwords from a source that cannot be exposed, that is from a file (with appropriate permissions set) or from standard input. In case you're wondering, you should also not use environment variables for this, they are not secure in all Unix variants. Use streams or files. Note that this is not useful as a security feature, as there will always be a period where the arguments are visible.

An attacker can extend this period at will, by keeping the system busy in the right way.

The purpose of the feature is to differentiate between processes, like the sendmail processes. You can see which one is the queuerunner, and which one is responsible for answering to the network.

If your arguments contain secrets, you’re doing something wrong. Just about any program that accepts passwords on the command line also accepts passwords from a source that cannot be exposed, that is from a file (with appropriate permissions set) or from standard input.

In case you’re wondering, you should also not use environment variables for this, they are not secure in all Unix variants. Use streams or files.

]]> By: Reiner Herrmann http://www.netsplit.com/2007/01/10/hiding-arguments-from-ps/#comment-144 Reiner Herrmann Fri, 12 Jan 2007 01:03:44 +0000 #comment-144 I also was wondering sometimes how other programs were hiding their arguments and couldn't find a good answer. Now I know it! :D Thank you for this very interesting article. I also was wondering sometimes how other programs were hiding their arguments and couldn’t find a good answer. Now I know it! :D
Thank you for this very interesting article.

]]> By: Federico Lucifredi http://www.netsplit.com/2007/01/10/hiding-arguments-from-ps/#comment-143 Federico Lucifredi Thu, 11 Jan 2007 20:51:08 +0000 #comment-143 Cool stuff. I was thinking about this a few weeks ago, and it is nice to see it all summed up neatly! Cool stuff. I was thinking about this a few weeks ago, and it is nice to see it all summed up neatly!

]]> By: EvilDead http://www.netsplit.com/2007/01/10/hiding-arguments-from-ps/#comment-142 EvilDead Thu, 11 Jan 2007 06:40:28 +0000 #comment-142 Hi, this is a very interesting post! Hi,

this is a very interesting post!

]]> By: i'm not even colourblind! http://www.netsplit.com/2007/01/10/hiding-arguments-from-ps/#comment-141 i'm not even colourblind! Wed, 10 Jan 2007 20:13:16 +0000 #comment-141 Is your code in Super Light Blue supposed to be readable? Your site's webdesign is otherwise good. Is your code in Super Light Blue supposed to be readable?

Your site’s webdesign is otherwise good.

]]> By: Storyteller http://www.netsplit.com/2007/01/10/hiding-arguments-from-ps/#comment-140 Storyteller Wed, 10 Jan 2007 19:34:59 +0000 #comment-140 A long time ago there was a famous lib which got a hacked api. So a lot of people tried to get a workaround. They used the problems for their work. The author of the famous lib decided to correct the problematic api and all programms using it got problems. oh yes. I can remeber the author telling the other what they should have done instead of programming... A long time ago there was a famous lib which got a hacked api. So a lot of people tried to get a workaround. They used the problems for their work.

The author of the famous lib decided to correct the problematic api and all programms using it got problems.

oh yes. I can remeber the author telling the other what they should have done instead of programming…

]]>