How Does MySQL Hide the Command Line Password in Ps?
I saw this question asked today, and thought I’d write a quick post about it. Giving passwords on the command line isn’t necessarily a fantastic idea - but you can sort of see where they’re coming from. Configuration files and environment variables are better, but just slightly. Security is a night mare!
But if you do decide to write an application which takes a password (or any other sensitive information) on the command line, you can prevent other users on the system from easily seeing it like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
A sample run looks like this:
1 2 3 4 5
In another terminal:
1 2 3
In the interest of brevity, the above code isn’t very portable - but it works on Linux and hopefully the point of it comes across. In other environments, such as FreeBSD, you have the setproctitle() syscall to do the dirty work for you. The key thing here is the overwriting of argv Because the size of argv is allocated when the program starts, you can’t easily obfuscate the length of the password. I say easily - because of course there is a way.