Re: ps information leak in FreeBSD

From: David M. Wilson (dw@botanicus.net)
Date: 01/09/03

  • Next message: qitest1: "middleman-1.2 and prior off-by-one bug"
    Date: Thu, 9 Jan 2003 21:23:40 +0000
    From: "David M. Wilson" <dw@botanicus.net>
    To: Damien Miller <djm@mindrot.org>
    
    

    On Thu, Jan 09, 2003 at 02:48:30PM +1100, Damien Miller wrote:

    > Crist J. Clark wrote:

    > >Any program that asks for a password on the command line should have
    > >the common decency to overwrite/obfuscate it, along the lines of,

    > > case 'p':
    > > passwd = optarg;
    > > optarg = "********";
    > > break;

    This code is incorrect, it destroys a temporary pointer that will be
    overwritten with the next call to getopt(). For the sake of
    completeness, it should be noted that to actually destroy the command
    line argument data, one should do something along the lines of:

       case 'p':
          passwd = strdup(optarg); /* now requires free()ing. */
          {
             int len = strlen(optarg), i;
             for (i = 0; i != len; ++i)
                optarg[i] = 0;
          }

    > That works only for OSs which support argv clobbering - it is by no
    > means portable and shouldn't be depended on for security.

    This is still correct though. :). Any passwords passed on the command
    line are available through a race anyway. Just don't do it(tm).

    David.



    Relevant Pages

    • Re: ps information leak in FreeBSD
      ... Crist J. Clark wrote: ... > Any program that asks for a password on the command line should have ... > the common decency to overwrite/obfuscate it, along the lines of, ...
      (Bugtraq)
    • Re: editor
      ... David Kastrup wrote: ... several different modes (insert, command, replace, and likely some ... Some people say that it has a mode that beeps at you and a mode that ... This way it blinks at me and destroys the sound. ...
      (comp.text.tex)