On Thu, Jan 09, 2003 at 02:48:30PM +1100, Damien Miller wrote:
> Crist J. Clark wrote:
> >Any program that asks for a password on the command line should have
> >the common decency to overwrite/obfuscate it, along the lines of,
> > case 'p':
> > passwd = optarg;
> > optarg = "********";
> > break;
This code is incorrect, it destroys a temporary pointer that will be
overwritten with the next call to getopt(). For the sake of
completeness, it should be noted that to actually destroy the command
line argument data, one should do something along the lines of:
case 'p':
passwd = strdup(optarg); /* now requires free()ing. */
{
int len = strlen(optarg), i;
for (i = 0; i != len; ++i)
optarg[i] = 0;
}
> That works only for OSs which support argv clobbering - it is by no
> means portable and shouldn't be depended on for security.
This is still correct though. :). Any passwords passed on the command
line are available through a race anyway. Just don't do it(tm).
David.
