1

So I have a certain program, which is running almost 24/7.

I have a start script I've written in bash which simply does:

./app --user XXX --pass YYY

There are a few more options, but they are irrelevant to this question.

Once run, the pass will always show in ps for other users and I'm assuming in other places too. How do I prevent this from happening? The application cannot be modified, the only option I have is to do it while passing the password somehow.

It's also very important that the application is started via a script as I am automating its startup and shutdown on several machines. Inputting it manually every time is not really an option.

However I do not need it to be unreadable in the bash script itself. It's okay if it's in plain text there, I only need it secured in places where other users might be able to check running processes, such as ps

Sam
  • 11
  • 2

1 Answers1

2

The safe solution is to pass the password in another way than a command line option. The two most common ways of doing that is an environment variable or having the program read it from a file.

Each of those may require changes to the program itself if it does not already support those methods.

A different approach which is less secure (but still better than what you have now) is for the program to copy the password from the command line to another location in memory and then wipe the location in memory where the command line is stored.

That approach is less secure because it will still be visible briefly while the program is starting. Some programs already do this, but if the program doesn't already do it, the program would need to be modified in order to do it.

kasperd
  • 30,455
  • 17
  • 76
  • 124