The password should not be supplied as a command-line argument

Question

The password should not be supplied as a command-line argument

Opened this issue 7 years ago · 0 comments

My understanding is that supplying passwords vai command-line arguments is not considered good practice as it can leak information.

For example:

$ sqlcrush -p supersecretpassword

$ ps -eo pid,user,args | grep sqlcrush
25167 username       sqlcrush -pd supersecretpassword

$ tr "\0" " " < /proc/25167/cmdline
sqlcrush -pd supersecretpassword

Notice that the information is leaked even if one naively attempts to hide it from your bash history:

$  PASSWORD=supersecretpassword
$ history -d $(history 2)
$ sqlcrush -pd $PASSWORD

$ ps -eo pid,user,args | grep sqlcrush
29840 username       sqlcrush -pd supersecretpassword

I think that similar tools typically allow you to supply the password using a file (e.g. .pass), or possibly via an environment variable (e.g. PASSWORD).