Issue:
======
All command-line utilities which support -password parameter are 
vulnerable to password sniffing, especially when they're run from 
scripts. Since 2.1, all Firebird utilities replace argv[PASSWORD] 
with *, but better solution for hiding password from others in 
process list should be reading it from file or asking for it on 
stdin.
Scope:
======
Security issue.
Document author:
=================
Alex Peshkov (peshkoff@mail.ru)
Document date:  2008-11-30
==============
All utilities have new switch 
-fetch_password 
which may be abbreviated according with utility rules. 
The exception is QLI, where -F should be used. 
Switch has required parameter - name of file with password. I.e.: 
isql -user sysdba -fet passfile server:employee 
will load password form file "passfile", using its first line 
as password. 
One can specify "stdin" as file name to make password be read 
from stdin. If stdin is terminal, prompt:
Enter password: 
will be printed. 
For posix users - if you specify '-fetch /dev/tty' you will also 
be promted. This may be useful if you need to restore from stdin: 
bunzip2 -c emp.fbk.bz2 | gbak -c stdin /db/new.fdb -user sysdba -fetch /dev/tty
Subscribe to:
Post Comments (Atom)
More information on Firebird
Followers
Blog Archive
About Me
 
- IBSurgeon
- IBSurgeon was established in 2002, 10 years we recover databases and save Firebird/InterBase data.
 
No comments:
Post a Comment