Possible security issue with the use of 'ps'

Apr 21, '03 09:20:00AM

Contributed by: God of Muffins

The ps command in UNIX returns a list of all of the commands that are currently running, as well as some information about them. Strangely, the command executes as root. This allows anyone connected to your machine via SSH see anything you are doing in the Terminal. For example, if I run ps -wao "user command" right now, it returns:

  USER  COMMAND
  root  login -pf ryang
  ryang -tcsh (tcsh)
  ryang ftp ftp://user:pass@127.0.0.1
  root  login -pf ryang
  ryang -tcsh (tcsh)
  root  ps -wao user command
As you can see, it returns information about an FTP connection, including the username and password I used with it.

[robg adds: I believe ps needs to run as root to find information on all processes. I think what this hint really reveals is that you shouldn't use the command line to input your username and password to the ftp program! Instead, create a file called .netrc in your home directory, and store your machine names, user names, and passwords there instead (make sure the file isn't readable by others by typing chmod go-r .netrc). Read more about .netrc files in the man ftp pages.]

Comments (13)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20030418125128301