Hello
I want to hide command line parameters of my programs/scripts to not to be seen with 'ps' command.
How can I do that?
thanks in advance.
One way I've seen it done is to save the parameters in variables, export them, then immediately exec a different script. The new script will obtain values through environment variables and not display them in its commandline, while the program that called it no longer exists, having been replaced with whatever it exec'd. This makes it difficult -- though not impossible -- to catch in the act.
Another way to avoid parameters being visible is to not have them visible in the first place, transferring them to scripts through methods like pipes and so forth.
Using variables doesn't totally hide them though, a BSD ps with the 'e' flag will show them
If you can push the argument out past 80 characters, it shouldn't show up on the "normal" ps output on both Linux and Solaris. IIRC both those copy the args to a structure available in /proc that's only 80 chars long.
Now, there may very well be other ways to get the arguments than from /proc via ps, and any user that can read the address space of the process certainly can get them. But that's at least a start.
That's a horrible kludge, though. It's best to not put sensitive data on command lines. If the data is sensitive enough that you don't want it visible, put it in a file and closely control the file permissions. You don't want to do that? Why? You were willing to put the sensitive data on a command line in a script, and a script is nothing more than a file.
cat noargs.sh
#!/usr/bin/bash
ps -ef | grep "n[o]args.sh"
echo $VAR1
echo $VAR2
ps -ef | grep "n[o]args.sh"
Execute:
# VAR1="this is the 1st argument" VAR2="this is the 2nd argument" ./noargs.sh
root 25177 23762 0 22:14:16 pts/1 0:00 /usr/bin/bash ./noargs.sh
this is the 1st argument
this is the 2nd argument
root 25177 23762 0 22:14:16 pts/1 0:00 /usr/bin/bash ./noargs.sh
#
Note: There is a SPACE and not a ";" between the command line parts.
True, but that is not a BSD-style "e"-option. You have to leave out the "-" for that.
#!/usr/bin/bash
ps axe | grep "n[o]args.sh"
echo $VAR1
echo $VAR2
ps axe | grep "n[o]args.sh"
# VAR1="this is the 1st argument" VAR2="this is the 2nd argument" ./noargs.sh
17834 pts/0 R+ 0:00 /bin/bash ./noargs.sh VAR1=this is the 1st argument VAR2=this is the 2nd argument TERM=....
this is the 1st argument
this is the 2nd argument
17834 pts/0 R+ 0:00 /bin/bash ./noargs.sh VAR1=this is the 1st argument VAR2=this is the 2nd argument TERM=....
I assume the intention of all of this is to hide the arguments for others. The -e option for the BSD ps only always you the see the environment for your own processes (unless you are root ofcourse).