Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
We would like to know if there is a setting at the os level that prevents this scenario?
Unfortunately, the passing of command-line parameters is, by the fundamental design of the operating system, available to all processes (it lives in the /proc filesystem). Incidentally, one might try to circumvent this by passing important information in environment variables, but this info is also available in /proc. The only way (with linux) to circumvent this is to disable the mounting of /proc at boot. Alternately, you might make it available to a select group. Then, only that special group will get any information from ps.
yeah, like stated above, passing in as a environment variable won't work. the shell will resolve environment variables prior to executing your application...so the password will still show up on the ps listing...
example:
export TEST=100
sleep $TEST &
ps -ef
what do you see?
to use environment variables, the application would need to be written to use them. and eventhough they can be found in the proc filesystem, they are a little more hidden than your ps listing.
another long-shot is to see if your application will accept something from standard input. then you could put your password into a file and redirect it to the application.
can your application use a config file instead of command line arguments? if so, use a config file and lock down the file's permissions good.
another option is to change the permissions on the ps (& related commands) themselves. by default those apps are world executable, but you could make them so only owner and/or group can execute them. however, users could still go through the process ids in /proc and find the command line used...but that requires more work.
finally, you could change the permissions on /proc. its just a directory (or so it seems) & you could modify permissions so only root can enter. however, this will affect other apps that require information from /proc. for example, this will break ps.
Last edited by jdiggitydogg; 09-22-2007 at 02:42 AM.
We would like to know if there is a setting at the os level that prevents this scenario?
Not by default, but the GRSecurity kernel patch allows for process separation, meaning only root and the user will have access to the user's process details, not other unprivileged users. It's not the only thing GRSecurity fortifies, see their website docs for details.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.