Date: Wed, 12 Aug 1998 11:09:29 +1200 (NZST) From: Andrew McNaughton <andrew@squiz.co.nz> To: "Mark J. Taylor" <mtaylor@cybernet.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Possible security "risk" in ftp client Message-ID: <Pine.BSF.3.96.980812105007.16956A-100000@aniwa.sky> In-Reply-To: <XFMail.980811163822.mtaylor@cybernet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 11 Aug 1998, Mark J. Taylor wrote: > The neat-o FTP client program in FreeBSD "/usr/bin/ftp" has a > cool but horrible feature: you can specify the user name and > password to use via the command line (in the URL), as in: > /usr/bin/ftp ftp://myname@mypass/ftp.freebsd.org/ Why on earth doesn't it use standard URL syntax? ftp://username:pass@host/dir/dir/file > This is actually quite bad: any "ps -ax" will show the username > and password. Using setproctitle(3) would be an attempt to close > this, but it would create a race condition. Also, it would not remove the password from ~/.history. > The program "/usr/bin/fetch" does it better: use the environment > variables FTP_LOGIN and FTP_PASSWORD. Environment variables are not private. > Is there any possibility of making a man page annotation that lists > this "hole"? And of getting in a patch that uses the environment? > I can do the work, unless someone else would rather do it... Passwords and other secure data should never appear on the command line or in environment variables. Mentioning this for every possible client is a bit beside the point. If you need to pass passwords to a program and you don't want the shell to see, and probably leak that information, you'll have to do it via stdin or a file. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980812105007.16956A-100000>