Bugtraq: Re: ps information leak in FreeBSD

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: ps information leak in FreeBSD

From: Damien Miller <djm () mindrot org>
Date: Thu, 09 Jan 2003 14:48:30 +1100

Crist J. Clark wrote:

Any program that asks for a password on the command line should have
the common decency to overwrite/obfuscate it, along the lines of,

        case 'p':
                passwd = optarg;
                optarg = "********";
                break;

So that it doesn't show up in any "ps" output.

That works only for OSs which support argv clobbering - it is by nomeans portable and shouldn't be depended on for security.

-d

By Date By Thread

Current thread:

ps information leak in FreeBSD Cache (Jan 06)
- Re: ps information leak in FreeBSD Sean Kelly (Jan 06)
- Re: ps information leak in FreeBSD Jez Hancock (Jan 21)
  - Re: ps information leak in FreeBSD Sean Kelly (Jan 08)
  - Re: ps information leak in FreeBSD Crist J. Clark (Jan 21)
    - Re: ps information leak in FreeBSD Damien Miller (Jan 09)
    - Re: ps information leak in FreeBSD David M. Wilson (Jan 15)
- <Possible follow-ups>
- ps information leak in FreeBSD Cache (Jan 06)