Industry guru Dave Taylor answers free tech support questions about a wide variety of business and technical topics, including blogging, Google AdSense, MySpace, Sony PSP, Apple iPod, Mp3 players, management, Linux, SEO, Mac OS X, Facebook, Twitter, LinkedIn and Microsoft Windows.

Still befuddled? Get immediate live tech support with SupportSpace!

How do I mask a password from "ps"?

i need to run a process, PB, and keep it running, for avoiding problems i run it as background providing the user, and password, for connecting to oracle, this with the command:

PB -u myuser -p my password &

but by using 'ps -ef | grep PB' anyone can see the password. There is another way to run the process, run it in foregroung:

PB -u myuser

and it prompts for the password
'Enter password:' once typed the process is started.

I would like to run the process in background, but avoiding the password to be shown with any 'ps'?

Dave's Answer:

This is a rather common Unix / Linux question, something I'd categorize as "how to mask information from ps", and unfortunately it's not very easy to accomplish.

I see two ways you could do this, though. If you're willing to launch the application by hand each time you run it, you could do something like:

$ nohup PB -u myuser > PB.log 2>&

Which would launch the process in a "bullet proof" way, prompt you for the password, then you could just type ^Z followed by the command bg to drop it into background, password hidden, but detached from your terminal so if you log out, it'll keep running.

The other solution is only useful if you have access to the application itself: you could create a bogus flag that accepted an argument and simply specify something like:

$ PB -u myuser -x " " -p pass

By having a bogus flag whose value is, say, 100 spaces, you could effectively mask the password from prying eyes.

Of course, if you can edit the source to the PB program, perhaps you could simply tweak it to read the password from standard input or a data file or something instead, which would be the preferred solution anyway.

Hope this is helpful!

Help others find this article at Del.icio.us, Digg, Netscape, Reddit, and Simpy.

Categorized: Unix and Linux Help (Article 4288)
Tagged:
Previous: How do I claim my blog on Feedster?
Next: Best place to buy a Sony Playstation Portable (PSP)?

Subscribe!

Never miss another useful Q&A article again! Subscribe to AskDaveTaylor with Google Reader.

Comments

I don't really know how I ended up on your blog, but it seems pretty cool, and your tips are an intelligent deviation from the normal crap on tips sites.

Anyway, in this tip, I assume you're intending the bogus flag to push the password over the edge of the 80-character standard terminal width so that 'ps' doesn't print it. I just wanted to note that on most terminals, all you have to do is pipe the output of 'ps' to 'cat' (or 'less' or...), and 'ps' will assume the terminal width is unbounded. Then, the password is visible again.

My suggestion has similar difficulties, but it does solve the problem of the password showing up in 'ps'. I would create a Perl script to execute the program and then, using a redirected standard input, have the Perl script enter the password at the prompt. Of course, with this approach comes the problem of storing a password in plaintext.

A more complicated approach would be to do it with a C program and use something memfrob()-like to perform a pseudo-encryption on the string.

Keep up the good work, Dave.

Posted by: cww at May 15, 2006 4:16 PM

I have a lot to say, but ...

I have a lot to say, and questions of my own for that matter, but most of all I'd like to say thank you for all your efforts on this Web site by buying you a chai!

I do have a comment, now that you mention it!