Re: ps information leak in FreeBSD

• Previous message: David Wilson: "Re: A security vulnerability in S8Forum"
• In reply to: Damien Miller: "Re: ps information leak in FreeBSD"
• Next in thread: Sean Kelly: "Re: ps information leak in FreeBSD"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 9 Jan 2003 21:23:40 +0000
From: "David M. Wilson" <dw@botanicus.net>
To: Damien Miller <djm@mindrot.org>

On Thu, Jan 09, 2003 at 02:48:30PM +1100, Damien Miller wrote:

> Crist J. Clark wrote:

> >Any program that asks for a password on the command line should have
> >the common decency to overwrite/obfuscate it, along the lines of,

> > case 'p':
> > passwd = optarg;
> > optarg = "********";
> > break;

This code is incorrect, it destroys a temporary pointer that will be
overwritten with the next call to getopt(). For the sake of
completeness, it should be noted that to actually destroy the command
line argument data, one should do something along the lines of:

   case 'p':
      passwd = strdup(optarg); /* now requires free()ing. */
      {
         int len = strlen(optarg), i;
         for (i = 0; i != len; ++i)
            optarg[i] = 0;
      }

> That works only for OSs which support argv clobbering - it is by no
> means portable and shouldn't be depended on for security.

This is still correct though. :). Any passwords passed on the command
line are available through a race anyway. Just don't do it(tm).

David.

• Next message: qitest1: "middleman-1.2 and prior off-by-one bug"
• Previous message: David Wilson: "Re: A security vulnerability in S8Forum"
• In reply to: Damien Miller: "Re: ps information leak in FreeBSD"
• Next in thread: Sean Kelly: "Re: ps information leak in FreeBSD"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]