PS Command Security – How It Hides Passwords

argumentspsSecurity

Witness:

$ ps f
  PID TTY      STAT   TIME COMMAND
31509 pts/3    Ss     0:01 -bash
27266 pts/3    S+     0:00  \_ mysql -uroot -p
25210 pts/10   Ss+    0:00 /bin/bash
24444 pts/4    Ss     0:00 -bash
29111 pts/4    S+     0:00  \_ tmux attach
 4833 pts/5    Ss+    0:00 -bash
 9046 pts/6    Ss     0:00 -bash
17749 pts/6    R+     0:00  \_ ps f
 4748 pts/0    Ss     0:00 -bash
14635 pts/0    T      0:02  \_ mysql -uroot -px xxxxxxxxxxxxxxxx
16210 pts/0    S+     0:01  \_ mysql -uroot -px xxxxxxxxxxxxxxxx

How did ps know to hide the mysql passwords? Can I incorporate this into my own scripts to hide particular CLI attributes?

Best Answer

ps does not hide the password. Applications like mysql overwrite arguments list that they got. Please note, that there is a small time frame (possible extendible by high system load), where the arguments are visible to other applications until they are overwritten. Hiding the process to other users could help. In general it is much better to pass passwords via files than per command line.

In this article it is described for C, how to do this. The following example hides/deletes all command line arguments:

#include <string.h>

int main(int argc, char **argv)
{
    // process command line arguments....

    // hide command line arguments
    if (argc > 1) {
        char *arg_end;    
        arg_end = argv[argc-1] + strlen (argv[argc-1]);
        *arg_end = ' ';
    }

    // ...
}

Look also at https://stackoverflow.com/questions/724582/hide-arguments-from-ps and https://stackoverflow.com/questions/3830823/hiding-secret-from-command-line-parameter-on-unix .

Related Question