Programming
linux bash command-line command-line-arguments password-protection
Updated Fri, 20 May 2022 22:21:27 GMT

Shell script password security of command-line parameters


If I use a password as a command-line parameter it's public on the system using ps.

But if I'm in a bash shell script and I do something like:

...
{ somecommand -p mypassword }
...

is this still going to show up in the process list? Or is this safe?

  • How about sub-processes: (...)? Unsafe right?
  • coprocess?



Solution

Command lines will always be visible (if only through /proc).

So the only real solution is: don't. You might supply it on stdin, or a dedicated fd:

./my_secured_process some parameters 3<<< "b@dP2ssword"

with a script like (simplicity first)

#!/bin/bash
cat 0<&3

(this sample would just dump a bad password to stdout)

Now all you need to be concerned with is:

  • MITM (spoofed scripts that eaves drop the password, e.g. by subverting PATH)
  • bash history retaining your password in the commandline (look at HISTIGNORE for bash, e.g.)
  • the security of the script that contains the password redirection
  • security of the tty's used; keyloggers; ... as you can see, we have now descended into 'general security principles'




Comments (5)

  • +0 – Is the 3 above a typo? Should it just be <<<? If not, what does the 3 signify? — Nov 30, 2012 at 15:25  
  • +0 – Ok, I think I get it. That is the number of the argument? I think it's supposed to be a 2, though, not a 3. The first argument would be 0, second 1, third 2. Is that correct? — Nov 30, 2012 at 15:30  
  • +1 – Nope. <<< means: Stream this text to stdin. 3<<< means: stream this text to filedescriptor 3. As you can see with the demo script, you can then read fd 3 from the script. This is security by obscurity because stdin/stdout/stderr are the only standard (usual) shell pipe filedescriptors. — Nov 30, 2012 at 16:05  
  • +0 – To be frank, this doesn't really buy you much as the input will still end up being sent to cat (in the sample) on stdin... (filedescriptor 0). But at least it doesn't show up on the commandline in ps, top, /proc/... — Nov 30, 2012 at 16:07  
  • +3Apparently, "here-strings in bash are implemented as deleted temporary files". If that means they can make it to disk, it is another security consideration. Might be better to use process substitution like here: ./my_secured_process some parameters 3< <(printf '%s\n' b@dP2ssword) — Jul 24, 2016 at 22:23