Why do people fear writing passwords in the command line?
The history file is located in ~/.history, so it's available only to the user who executed the commands (and root).
Asked
Active
Viewed 9,272 times
34
Gilles 'SO- stop being evil'
- 829,060
Dor
- 2,535
3 Answers
54
Command lines are not just available in history. They are also available, for example, in the output of ps -ocmd or through the /proc filesystem. (/proc/<pid>/cmdline) which is where ps reads them.
Also, users' home directories are often world- or group- readable; you can make the history file only user-readable, but that might not survive deletion and recreation.
rici
- 9,770
20
Passwords on the command line are just a bad idea all the way around. In addition to the methods discussed in the other answers:
- /proc
- process list (
ps) - user's history file
User commands can show up in these locations as well:
- audit logs
- /var/log/*
In addition user's commands can also show up when users login between systems, so in general it's a bad practice and should be avoided at all times.
slm
- 369,824
-
3+1 for the /var/log reference - note that often the important system logs can be sent elsewhere, and don't necessarily stay on the same system. Thus your passwords may inadvertently also be transmitted across the network in cleartext form. – Mark Glossop Jun 14 '13 at 01:33
11
The problem is the visibility of the parameters (to other users in most cases, even for root) while the command is running. See the output of
ps -eo pid,user,args
Hauke Laging
- 90,279
export mypass=secretand you usea_command --password=$mypass, you'll seesecretinpstable. – Luc M Jun 08 '13 at 21:12