Why shouldn't someone use passwords in the command line?
Solution 1
Command lines are not just available in history. They are also available, for example, in the output of ps -ocmd
or through the /proc
filesystem. (/proc/<pid>/cmdline
) which is where ps
reads them.
Also, users' home directories are often world- or group- readable; you can make the history file only user-readable, but that might not survive deletion and recreation.
Solution 2
Passwords on the command line are just a bad idea all the way around. In addition to the methods discussed in the other answers:
- /proc
- process list (
ps
) - user's history file
User commands can show up in these locations as well:
- audit logs
- /var/log/*
In addition user's commands can also show up when users login between systems, so in general it's a bad practice and should be avoided at all times.
Solution 3
The problem is the visibility of the parameters (to other users in most cases, even for root) while the command is running. See the output of
ps -eo pid,user,args
Related videos on Youtube
Dor
Updated on September 18, 2022Comments
-
Dor over 1 year
Why do people fear writing passwords in the command line?
The history file is located in
~/.history
, so it's available only to the user who executed the commands (and root).-
Luc M almost 11 yearsYuk! Even if you define your password with
export mypass=secret
and you usea_command --password=$mypass
, you'll seesecret
inps
table.
-