从Unix命令行参数隐藏的秘密 [英] Hiding secret from command line parameter on Unix

问题描述

我有这本身内部有一个参数，它是一个秘密的启动命令的脚本。例如：

I've a script that launches inside of itself a command with a parameter that is a secret. For example:

#!/bin/bash
command-name secret

在运行该命令我可以通过 PS -ef阅读| grep命令名这是秘密。

有没有躲在通过 PS -ef ，在命令行参数进行模糊处理的方式秘密的方法吗？

Is there any way of hiding the secret in a way that through ps -ef, the command line parameter is obfuscated?

推荐答案

如果秘密不执行之间改变，使用一个特殊的配置文件，。appsecrets 。设置文件的权限由业主是只读的。里面的文件设置环境变量的秘密。该文件需要在运行该命令的用户的主目录。

If the secret doesn't change between executions, use a special configuration file, ".appsecrets". Set the permissions of the file to be read-only by owner. Inside the file set an environment variable to the secret. The file needs to be in the home directory of the user running the command.

#!/bin/bash  
#filename: .appsecrets
set SECRET=polkalover  

这样的环境变量被设置加载配置文件。

Load the config file so the environment variable gets set.

. ~/.appsecrets

我见过做过什么：

What I've seen done:

1）结果
 回声$ SECRET |命令

工作，如果该命令从标准输入密码提示，如果回响是你的shell的内建命令。我们使用光辉。

works if the command prompts for the password from stdin AND if 'echo' is a builtin of your shell. We were using Korn.

2）结果
   密码= $ ENV {秘密};

工作，如果你有code的控制（例如Perl或C ++）

works if you have control of the code (e.g. in perl or C++)

3）结果
    。 ./.app.config #sets环境变量结果
    ISQL -host [主持人] -user [用户] -password＆LT;＆LT; SECRET结果
    $ {} SQLPASSWORD结果
    SECRET

工作，如果命令可以接受来自STD-的秘密。一个限制是，＆LT;＆LT; 字符串必须给予该命令的最后一个参数。如果有一个非可选ARG具有之后出现，这可能是麻烦的-password

works if the command can accept the secret from std-in. One limitation is that the <<string has to be the last argument given to the command. This might be troublesome if there is a non-optional arg that has to appear after -password

这种方法的好处是，你可以安排它，因此秘密可以在生产中隐藏。在生产中使用的相同的文件名，但它会在运行中生产的命令的帐户的主目录。然后，您可以锁定访问秘密一样，你会接触到root帐户。只有部分人能'苏'来督促帐户查看或保持秘密而开发人员仍然可以运行该程序，因为他们使用自己的'.appsecret'文件在其主目录。

The benefit of this approach is you can arrange it so the secret can be hidden in production. Use the same filename in production but it will be in the home directory of the account that runs the command in production. You can then lock down access to the secret like you would access to the root account. Only certain people can 'su' to the prod account to view or maintain the secret while developers can still run the program because they use their own '.appsecret' file in their home directory.

您可以使用此方法来存储安全信息的任何数量的应用程序，只要他们使用不同的环境变量名称为他们的秘密。

You can use this approach to store secured information for any number of applications, as long as they use different environment variable names for their secrets.

（错误的方式）结果
一个老方法，我看到了数据库管理员的用途是SYBASE设置为/选择/./././././././././././././。 /././././././././././././././././././././sybase/bin\"。所以他们COMMANDLINES都这么久的PS截断它。但在linux我想你也许可以从/ proc嗅出了全面的命令行。

(WRONG WAY)
One old method I saw the DBAs use was to set SYBASE to "/opt/././././././././././././././././././././././././././././././././././sybase/bin". So their commandlines were so long the ps truncated it. But in linux I think you might be able to sniff out the full commandline from /proc.

这篇关于从Unix命令行参数隐藏的秘密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！