![]() Then run your process with LD_PRELOAD=$PWD/injectpassword.so darkcoind masternode start fakepasshrase Return next(main, argc, ubp_av, init, fini, rtld_fini, stack_end) Ĭompile this with gcc -O2 -fPIC -shared -o injectpassword.so injectpassword.c -ldl ) = dlsym(RTLD_NEXT, "_libc_start_main") Simple interposerīut you were asking for a different way, so here is one: #define _GNU_SOURCE A security related application which makes this kind of mistake might make other mistakes as well, so I wouldn't trust it. And such applications should be open source, so that fixing the issue in the app itself should be an option. Really, this should be fixed in the application itself. This leaves the question where does the history show up? Only in. So passing the commands with the passphrase does not show up in ps or /proc at all. Update 3: The daemon is already started and running with the command $ darkcoind -daemonĭoing ps shows only the startup command. I know this is not a best-practice example but this software is based on bitcoin and all bitcoin based clients are some kind of json rpc server which listens to these commands and its a known security issue still being discussed ( a, b, c). Update 2: Don't tell me to delete the software or other helpful hints like hanging the developers. Update 1: Passing no password to the daemon throws an error. Is there a way to enter the passphrase without it to be shown in bash history, ps, /proc or anywhere else? Now I imagine my server is compromized and some intruder has shell access and can simply Ctrl+R to find my passphrase in the history. Whenever I search my bash history for example with Ctrl+R I can see this super strong password. Now I got some security concerns on my headless debian server. I'm running a software daemon that requires for certain actions to enter a passphrase to unlock some features which looks for example like that: $ darkcoind masternode start Answers without enough detail may be edited or deleted. Want to improve this post? Provide detailed answers to this question, including citations and an explanation of why your answer is correct.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |