Date: Tue, 11 Aug 1998 13:44:12 -0700 (PDT) From: Marc Slemko <marcs@znep.com> To: "Mark J. Taylor" <mtaylor@cybernet.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Possible security "risk" in ftp client Message-ID: <Pine.GSO.4.00.9808111342100.19881-100000@redfish> In-Reply-To: <XFMail.980811163822.mtaylor@cybernet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 11 Aug 1998, Mark J. Taylor wrote: > > The neat-o FTP client program in FreeBSD "/usr/bin/ftp" has a > cool but horrible feature: you can specify the user name and > password to use via the command line (in the URL), as in: > /usr/bin/ftp ftp://myname@mypass/ftp.freebsd.org/ > > This is actually quite bad: any "ps -ax" will show the username > and password. Using setproctitle(3) would be an attempt to close > this, but it would create a race condition. > > The program "/usr/bin/fetch" does it better: use the environment > variables FTP_LOGIN and FTP_PASSWORD. Naw, that is worse since you can just use ps to grab it; the reason it is worse is because it tends to lead to people leaving it set when they aren't actually using the program. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.00.9808111342100.19881-100000>