在 Unix 上隐藏命令行参数的秘密 [英] Hiding secret from command line parameter on Unix
问题描述
我有一个脚本,它在自身内部启动一个带有秘密参数的命令.例如:
I've a script that launches inside of itself a command with a parameter that is a secret. For example:
#!/bin/bash
command-name secret
在运行命令时,我可以通读 ps -ef |grep command-name
这是秘密.
While running the command I can read through ps -ef | grep command-name
which is the secret.
有没有什么方法可以隐藏秘密,通过ps -ef
,命令行参数被混淆?
Is there any way of hiding the secret in a way that through ps -ef
, the command line parameter is obfuscated?
推荐答案
首先,您不能隐藏命令行参数.在启动程序时(在程序有机会执行之前),其他用户仍然可以通过
ps aux
和cat/proc/$YOUR_PROCESS_PID/cmdline
参数的运行时更改).好消息是,您仍然可以通过使用替代方案来获得秘密:
First, you can NOT hide command line arguments. They will still be visible to other users via
ps aux
andcat /proc/$YOUR_PROCESS_PID/cmdline
at the time of launching the program (before the program has a chance to do run-time changes to arguments). Good news is that you can still have a secret by using alternatives:
使用环境变量(有警告).如果您的程序可以读取它们,请执行以下操作:
Use environment variables (with caveats). If your program can read them, do this:
mySecret='hello-neo' myCommand
使用标准输入:
Use standard input:
mySecret='hello-neo' printenv mySecret | myCommand
如果您想将秘密与主脚本分离,请使用专用文件(请注意,建议您使用全盘加密并确保文件具有正确的chmod
权限):
cat /my/secret | myCommand
使用临时文件描述符:
Use temporary file descriptor:
myCommand <( mySecret='hello-neo' printenv mySecret )
在最后一种情况下,您的程序将像 myCommand/dev/fd/67
一样启动,其中 /dev/fd/67
的内容是您的秘密(hello-neo
在这个例子中).
In the last case your program will be launched like myCommand /dev/fd/67
, where the contents of /dev/fd/67
is your secret (hello-neo
in this example).
在上述所有方法中,请注意不要将命令留在 bash 命令历史记录 (~/.bash_history
) 中.您可以通过从脚本(文件)运行命令或每次以交互方式提示自己输入密码来避免这种情况:
In all of the above approaches, be wary of leaving the command in bash command history (~/.bash_history
). You can avoid this by either running the command from a script (file), or by interactively prompting yourself for password each time:
read -s mySecret && export mySecret
myCommand # approach 2
printenv mySecret | myCommand # approach 3
myCommand <( printenv mySecret ) # approach 4
这篇关于在 Unix 上隐藏命令行参数的秘密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!