Issue Details (XML | Word | Printable)

Key: CORE-867
Type: Improvement Improvement
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: Alexander Peshkov
Reporter: Jiri Cincura
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Firebird Core

gbak should change param0 to not show username/password in ps axf

Created: 23/Jul/06 03:31 PM   Updated: 26/Dec/07 10:45 AM
Component/s: GBAK
Affects Version/s: 1.5.0, 1.5.1, 1.5.2, 1.5.3, 2.0 Beta 1, 2.0 RC1, 2.0 Beta 2, 2.0 RC2, 2.0 RC3
Fix Version/s: 2.1 Beta 1

Time Tracking:
Issue & Sub-Tasks
Issue Only
Not Specified

Environment: standard unix/linux

Sub-Tasks  All   Open   

 Description  « Hide
When you run gbak, other users can see your (or SYSDBA's) password during backup. Changing the param 0 only to i.e. gbak will solve this problem (some security kernel patches, i think aren't the best way).

 All   Comments   Work Log   Change History   Version Control   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
dbi added a comment - 23/Jul/06 05:53 PM
Please note that wiping command line parameters only makes it harder to discover the password. The long-term/secure solution is to prompt for passwords or read them from file. This would involve adding command-line switches, though.

And, this is not gbak-specific. All command-line utilities which support -password parameter are vulnerable.

Jiri Cincura added a comment - 23/Jul/06 07:08 PM
Yes, I know, but this makes a little bit harder to see password.
I've created subtask for nreading password from file/input.

Alexander Peshkov added a comment - 25/Apr/07 09:31 AM
All firebird utilities replace argv[PASSWORD] with *