Why shouldn't someone use passwords in the command line?

bash command-line security password command-history
7,793

Solution 1

Command lines are not just available in history. They are also available, for example, in the output of ps -ocmd or through the /proc filesystem. (/proc/<pid>/cmdline) which is where ps reads them.

Also, users' home directories are often world- or group- readable; you can make the history file only user-readable, but that might not survive deletion and recreation.

Solution 2

Passwords on the command line are just a bad idea all the way around. In addition to the methods discussed in the other answers:

  • /proc
  • process list (ps)
  • user's history file

User commands can show up in these locations as well:

  • audit logs
  • /var/log/*

In addition user's commands can also show up when users login between systems, so in general it's a bad practice and should be avoided at all times.

Solution 3

The problem is the visibility of the parameters (to other users in most cases, even for root) while the command is running. See the output of

ps -eo pid,user,args
Share:
7,793

Related videos on Youtube

Dor
Author by

Dor

Updated on September 18, 2022

Comments

  • Dor
    Dor over 1 year

    Why do people fear writing passwords in the command line?

    The history file is located in ~/.history, so it's available only to the user who executed the commands (and root).

    • Luc M
      Luc M almost 11 years
      Yuk! Even if you define your password with export mypass=secret and you use a_command --password=$mypass, you'll see secret in ps table.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Safe way to pass password for >1 programs in bash
Shell script password with special chars
Lecture from the local System Administrator
How to give a normal user permission to change root password
Is there a way to determine which user ran a command in bash history?
How do I record all terminal input and output to a local file by default for each session?
OSX: Delete all matching certificates by command-line
How can I expand a relative path at the command line, with tab completion?
How to get a persistent "history"-file even after a non-clean shutdown?
Avoiding plain-text password in http_proxy