Bash and peeking at variables.

FeatherMonkey · 2007-11-27 13:49:45

Could someone clarify, on chatting to someone they wished to use the root password as a variable.

Now my concern as the script is being run as a user the variable maybe accessable outside the script to others in the users group.

So my question is am I right and would it be possible to sneak a peek or catch the variable to get access to the root password? And if so how?

Last edited by FeatherMonkey (2007-11-27 13:50:01)

VikM · 2007-11-27 14:46:45

Interesting, I don't know any method to see variables of a running sh script and I didn't search one for this answer. A proper way to allow users to run specific programs is by editing /etc/sudoers (has nice examples). That user does not need root privileges for anything, you can make sudo allow only the needed program.
I don't want to be rude, but having the root password in a file is ridiculous.

FeatherMonkey · 2007-11-27 14:55:07

This was my initial thought. It's just I thought I'd seen something about doing this, via ps, tmp or maybe proc but am really unsure. I have searched a little but not had much joy.

The password wouldn't of been in the file but passed to it, which was my concern. OK it would be only a small window of opportunity but still if it was possible to peek at the variable outside the script.

Then I just felt escalating from user rights would of been just a case of waiting for them to run the script if it was possible to peek at the variable.

Edit
This wouldn't even be applicable to Arch iirc as arch's su won't take a password like that but that's for another thread.

Last edited by FeatherMonkey (2007-11-27 15:00:41)

VikM · 2007-11-27 15:05:33

If the password is passed as an argument to the script, or by the script to something else, anyone can see it in that moment. This is why mysql hides the password when it is given on the command line (try "mysql -uroot -pblabla" and run "ps ax" in another terminal).

You can also try some smart group membership and suid bit, but sudo seems somehow better to me.

FeatherMonkey · 2007-11-27 15:34:04

Thank you the mysql example was exactly what I needed, took some trying though.

As you typed I was trying something similar by using a script with a sleep and echo's but think you've confirmed what I thought.

Yes there is a small window of opportunity but then its an opportunity.

Dusty · 2007-11-27 17:45:42

Further, if you pass the password on the command line, it will show up in your history. You should be the only one with permission to read this file, but to me its still a potential weak point.

Arch Linux

#1 2007-11-27 13:49:45

Bash and peeking at variables.

#2 2007-11-27 14:46:45

Re: Bash and peeking at variables.

#3 2007-11-27 14:55:07

Re: Bash and peeking at variables.

#4 2007-11-27 15:05:33

Re: Bash and peeking at variables.

#5 2007-11-27 15:34:04

Re: Bash and peeking at variables.

#6 2007-11-27 17:45:42

Re: Bash and peeking at variables.

Board footer