How MySQL hides the password on the command line under the PS command

Source: Internet
Author: User
Tags function definition stdin

Entering commands on the command line is not a good idea and can create security problems. (see another article, "The safe operation of MySQL password entry") but if you decide to write an application, the application needs to use a password or other sensitive information on the command line. So, can you prevent other users of the system from seeing these sensitive data easily by using the following methods? , like MySQL hiding passwords under the PS command.

Suppose I have two users in this system, one is root and one is Dabu. The test system for CentOS 6.5 is done in the following steps:

[Root@dabu.info ~] #su Dabu #切换到dabu这个账号
[Dabu@dabu.info ~] $CD ~ #切换到dabu的home目录
[Dabu@dabu.info ~]$ Touch pwhide.c #创建 pwhide.c file
[Dabu@dabu.info ~] $ls

Show:

Pwhide.c

Save the following code to PWHIDE.C:


#include <stdio.h> #include <unistd.h>/* UNIX class system-defined symbol constants header file/#include <string.h>//character array function definition header file * * Include <sys/types.h>/* Unix/linux system's basic system data Type header file/int main (int argc, char *argv[])/* parameter argc refers to the number of parameters in the command line, including the execution file itself )。 Parameter argv is a carton string of pointer array * * {int i = 0; pid_t mypid = Getpid ();/* Obtain the program runtime's pid*/if (argc = 1)/* If the number of argc parameters equals 1, as required, should be ARGC 2 before Line */return 1; /* Exception exit/printf ("argc =%d and Arguments are:n", argc); /* Print ARGC number of parameters/for (i < argc; i++)/* Print I serial number, and corresponding argv array pointer element/printf ("%d =%sn", I, argv[i]); /* Print I serial number, and corresponding argv array pointer element/printf ("replacing the argument with x:es ... Now open another terminal and Run:ps P%DN ", (int) mypid); /* Print the string and the program Yes pid*/fflush (stdout); * Empty the buffer and print its contents * * memset (argv[1], ' x ', strlen (argv[1)); * Note that this is the focus and key point of this article. (original http://www.dabu.info/?p=5150) is the use of memset (void *s, int c, size_t N) function with x to overwrite each character of the password *. You can also replace x with a, then recompile the run, and then PS see what is different/getc (stdin); /* Wait and get keyboard input, in fact, the main function here is to keep the C program in the running state, so that you can view the PID through PS to see if the password is hidden. So after this function is run, there can be no more keyboard operation/RetuRN 0; /* Normal exit */}


#include <stdio.h>
#include <unistd.h>/* UNIX class System Definition symbol constant header file * *
#include <string.h>/* The header file for the function definition of a/* character array * *
#include <sys/types.h>/* Unix/linux system's basic system data Type header file * *

int main (int argc, char *argv[])/* parameter argc refers to the number of arguments in the command line (including the execution file itself). The parameter argv is a pointer array of a carton string * *
{
int i = 0;
pid_t mypid = Getpid (); /* Get the pid*/when the program is running
if (argc = 1)/* If the number of ARGC parameters is equal to 1, according to the requirements, should be ARGC 2 to the line * *
return 1; /* Abnormal Exit * *
printf ("argc =%d and Arguments are:n", argc); /* Print ARGC number of parameters *
for (i; i < argc; i++)/* Print I serial number, and corresponding argv array pointer elements * *
printf ("%d =%sn", I, argv[i]); /* Print I serial number, and the corresponding argv array pointer elements * *
printf ("replacing-argument with x:es ... Now open another terminal and Run:ps P%DN ", (int) mypid); /* Print the string and the program Yes pid*/

Fflush (stdout); * Empty the buffer and print its contents * *
memset (argv[1], ' x ', strlen (argv[1)); * Note that this is the focus and key point of this article. (original http://www.dabu.info/?p=5150) is the use of memset (void *s, int c, size_t N) function with x to overwrite each character of the password *. You can also replace x with a, then recompile the run, and then PS see what is the difference
GETC (stdin); /* Wait and get keyboard input, in fact, the main function here is to keep the C program in the running state, so that you can view the PID through PS to see if the password is hidden. So after this function is run, no more keyboard operations can be done.
return 0; /* Normal Exit * *
}

Then compile the pwhide.c command as follows:
[Dabu@dabu.info ~]$ gcc-o Hide pwhide.c #编译后的文件叫 Hide
[Dabu@dabu.info ~]$ ls
Show:
Hide Pwhide.c

To test with a compiled program:

[Dabu@dabu.info ~]$./hide dabu.info//dabu.info is tested as an argument (in fact, a password)
Show:
ARGC = 2 and arguments are:
0 =./hide
1 = Dabu.info
Replacing-argument with x:es ... Now open another terminal and Run:ps p 15585

Note: PS P 15585. You may not be the same as me, because the PID will change every time it runs. What number do you show, and what number will you use later?

After displaying the results above, no more action is done and the Terminal Window (Command window) is not closed. Then log in with the root account, which is equivalent to opening two terminal windows at the same time. Enter the following command:

[Root@dabu.info ~] #ps p 15585 #就是运行./hide Dabu.info, the PID of the program is obtained.
Show:
PID TTY STAT Time COMMAND
15585 pts/0 s+ 0:00/hide xxxxxxxxx//dabu.info A total of 9 characters, so this shows 9 x

As a result of this test, we know that this method allows MySQL to hide the password on the command line under the PS command. By the way, after you write another program, you know how to use this method to have the program hide command-line arguments under the PS command.

For simplicity's sake, the code above may not be easy to migrate to other platforms, but it can work on Linux and express the key points. In other environments, such as FreeBSD, you can use the system call Setproctitle () to do this coolie work for you. The key point is to rewrite argv[1]

Because the size of the argv[] is allocated at the start of the program, you cannot easily change the length of the password. Of course, it's easy to say, because there is a way

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.