Home / server / Questions / 482574
In Process
user127379
Asked: 2013-02-27 03:47:36 +0800 CST

How to ensure a password entered on command line is not stored at all on Linux server?

  • 772

I've got a web page PHP script which runs p7zip on the server:

This passes a user supplied password for encrypting their uploaded files.

Secondly the password is then emailed via PHP to the recipient.

What are the possible locations the password could be stored?

I did a grep -r "Passw0rd" /var/log/* nothing found.

Nothing in bash history either.

Dist is opensuse.

Many thanks!

linux

1 Answers

  1. As this is being passed on the command-line, it's going to be ephemerally stored in the /proc/ filesystem. Anyone who has a local account can get a list of the running processes and their command-line arguments. 

     cat /proc/[pid]/cmdline

    Which gives you a string. An example:

     /usr/bin/Xorg:0-backgroundnone-logverbose7-auth/var/run/gdm/auth-for-gdm-yrx0zQ/database-nolistentcpvt7

    Which translates to:

     /usr/bin/Xorg:0 -background none -logverbose 7 -auth /var/run/gdm/auth-for-gdm-yrx0zQ/database -nolistentcp vt7

    The cmdline pseudofile is world-readable, though it is only present when the process is actually running. These are visible in top after pressing the c key.

    Some programs do manipulate that string so it isn't representative of what's actually running, though I don't know if php is one that allows such things.

    • 2