Hiding password from ps

I'm calling a program with a command line arguement containing a password. while the process is running anyone on the system can ps -ef and see the password. Is there a way to prevent this from happening.

example

PROGRAM USERNAME/PASSWD

I've also tried
PROGRAM `cat passfile`

with passfile containing USERNAME/PASSWD
but it still appears

Anyway around this?
The program I'm calling is CONCSUB if anyone is familiar with Oracle Apps. And unfortunately it doesn't seem to have an interactive mode but only accept command line arguements.

call them using c file maybe?
urfile.c contain:
#include <stdio.h>
main(){ system(" program username/passwd "); }

and then
cc -o urfile urfile.c
then ./urfile

Sounds like a homework question, but since you posted your work. I may help you.

Ordinarily homework is strictly forbidden on this site.

You must give more info first. What Operating System, what shell are you using, what programming language are you using.

If it is ksh or sh or bash, put the password in a file and call the file from the command line. Most types of scripting will support this function.

OR you might put the whole thing in file and make it executable "chmod 755 filename" and the "./filename" to execute it.

What is the purpose of the is assignment. Are you just changing a user's password and that's it or are you using a password for a program?

That would be helpful as well.

And in the future, try not to post homework, if this is that.

:wink:

Well it's a work/work rather than homework question so I hope that's acceptable.
Here's the background( not at work today so I don't know some stuff off top of my head).
HPUX (10.3 I think)
The commands is in either ksh or sh script.
The program is CONCSUB it basically submits a program name to oracle's concurrent manager which then executes it.

so the line in the ksh script looks like this

CONCSUB $USERPASS $ORCLPROG

where $USERPASS is username/password for the database(also tried it being `cat .userpass` with same results(.userpass file contained username/password))
and $ORCLPROG is the name of the program to be executed.

The purpose is to avoid having anyone else on the machine being able to see this username and password by simply executing the ps -ef command.

I'll try the 'c' program tomorrow.

Thanks again for the help.

Actually you can do a chmod 500 /usr/bin/ps at the beginning of the script and a chmod 555 /usr/bin/ps at the end of the script.

If that is acceptable for your box.

Well, the C program may not work.
Check this out:

$ cat test.c
#include <stdio.h> 
main(){ system(" sleep 1234 "); } 

$ gcc -o test1 test.c
$ ./test1 &
[1] 7718
$ ps -ef
< snipped for brevity >
me      7718  7241  0 00:19 pts/1    00:00:00 ./test1
me      7719  7718  0 00:19 pts/1    00:00:00 sleep 1234
me      7720  7241  0 00:20 pts/1    00:00:00 ps -ef
$

Will this aplication prompt you for a password if you don't supply one on the command line (like sqlplus)?
In that case, you might be able to use a shell script:

#!/bin/sh
/path/to/CONCSUB <<EoF
USERNAME/PASSWORD@DB
command
another command
EoF

This may or may not work though. Either way, though, make sure you lock down permissions on the file so one one but you can read it. The commands passwords will be left in pleain text in the script and also in the compiled C program.

HP-UX stores the command line in a buffer and makes it available to all users via the pstat() system call. So disabling ps is not enough.

That buffer, like all buffers, is finite. So
ln -s /path/to/CONCSUB longname
./longname USERNAME/PASSWORD
should work. Of course, "longname" isn't long enough. You will need a 64 character name.

As to storing the password in a file, her is an alternative:

#! /usr/bin/ksh

print -n password -
stty -echo
read PASSWORD
stty echo
print

With this, the script just asks the user for the passwordeach time it runs.

Thanks for all the suggestions.
I think the longname solution will be easy and probably work well.

But since I've been investigating, I found another suggestion on an oracle support board. I can't get it to work though, and dont really understand it. Just kinda curious at this point, so perhaps someone can explain what they are trying to do.

They suggest something like this.

Put password in a file, passwd.dat

exec < passwd.dat
CONCSUB apps/$1 <other arguements>

It's not presented very well, but does this give anyone any ideas?
I have no clue what the exec < passwd.dat is trying to accomplish, but it looks interesting anyway.