On 04/21/18 12:10, Brian wrote:
On Sat 21 Apr 2018 at 13:54:03 -0500, David Wright wrote:
On Sat 21 Apr 2018 at 19:14:06 (+0100), Brian wrote:
On Sat 21 Apr 2018 at 11:36:05 -0500, David Wright wrote:
On Fri 20 Apr 2018 at 20:38:48 (+0100), Brian wrote:
T have a script. It contains an important password.
If you cat /usr/local/bin/myscript do you see your important
password on the screen?
With the unencrypted file - yes. With the encrypted file -no.
I have encrypted the script with
scrypt [enc] -t 10 /usr/local/bin/myscript
I can, of course, decrypt it with
scrypt dec /usr/local/bin/myscript
and then execute the script.
The two last steps have been combined into
DECRYPT=$(scrypt dec /usr/local/bin/myscript) && eval "$DECRYPT"
Should I have any more concerns with this command than I have with the
two-step process?
If so, then won't the password be revealed by ps while eval is
evaluating it?
I do not know the most efficacious way to see the ps output in real time
as eval runs. With a bit of trial and error (scrypt is slow enough to
switch to another console and use ps) I captured
23266 pts/7 R+ 0:00 mpw -q -F -M
-t railcard
in its output. mpw is the basic command executed by myscript. Switches
are shown but not parameters. -M is the very important one. The gap
would be occupied by the passphrase.
Is it possible that ps output does not show parameters to switches?
Not AFAIK. Here, I can see lines in the list such as:
Then I do not understand why paramters are not shown.
Probably because you did not provide the -f option to ps(1).
When discussing console commands, it is best to cut and paste complete
console sessions into your post -- prompts, commands entered, and all
output produced. Redact sensitive information as needed.
Maybe they come
later in the output? I can forsee a few sleepness nights trying to
figure this out. :)
Type:
$ man ps
See the section 'OUTPUT FORMAT CONTROL'
At this juncture it appears I should have no worries about ps revealing
the secret.
Incorrect. If a password is passed via a command-line option, 'ps -f'
will reveal the password.
ccrypt(1) provides the -E (--envvar) option for providing the name of an
environment variable containing the keyword to prevent this vulnerability:
https://manpages.debian.org/stretch/ccrypt/ccrypt.1.en.html
https://packages.debian.org/search?suite=all§ion=all&arch=any&searchon=names&keywords=ccrypt
David