|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Crist J. Clark (crist.clark_at_attbi.com)
Date: Tue Jan 07 2003 - 11:48:46 CST
On Tue, Jan 07, 2003 at 09:18:00AM +0000, Jez Hancock wrote:
[snip]
> It's annoying in that I see a lot of users running mysql with the -u and -p options:
>
> mysql -u user -p mypassword
>
> on the commandline, thinking that this info will not show up in ps listings when ps
> is run by other users. Ho hum...
Any program that asks for a password on the command line should have
the common decency to overwrite/obfuscate it, along the lines of,
case 'p':
passwd = optarg;
optarg = "********";
break;
So that it doesn't show up in any "ps" output.
Of course, there is still a window of vulnerability before the code is
executed, but any long-lived daemon has no excuse for not doing this.
-- Crist J. Clark | cjclarkalum.mit.edu | cjclark
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]