期望的“ spawn”命令是否安全地传递参数?
[英]Does the expect's 'spawn' command passes the parameters securely?
问题描述
I have the following expect script which executes 'myexe' and passes some password as argument: 
我有以下期望脚本,该脚本执行“ myexe”并传递一些密码作为参数:
#!/usr/bin/expect
gets stdin pwd
log_user 0
eval spawn "/myexe ${pwd}"
log_user 1
expect eof
catch wait result
exit [lindex $result 3]
My executable 'myexe' is compiled Linux executable (not shell script) and the goal is to pass a password securely to it. 我的可执行文件“ myexe”是已编译的Linux可执行文件(不是Shell脚本),目标是向其安全地传递密码。 Unfortunately the executable doesn't read the stdin for the password, but instead expects it as a start parameter. 不幸的是,可执行文件没有读取密码的标准输入,而是期望它作为开始参数。
When I execute the following expect script I cannot see my 'myexe' executable with 'ps'. 当我执行以下期望脚本时,看不到带有“ ps”的“ myexe”可执行文件。 Does somebody know if the 'spawn' performed by the expect is secure enough? 有人知道期望所执行的“生成”是否足够安全吗? Would the password be visible somewhere else (/proc for instance)? 密码在其他地方(例如/ proc)可见吗?
1 个解决方案
解决方案1
0 已采纳 2016-01-04 14:28:23
Don't use eval here. 不要在这里使用eval 。 It could be disastrous, depending on the contents of the password. 根据密码的内容,这可能是灾难性的。 This should suffice: 这样就足够了:
spawn /myexe $pwd
Anyone doing a ps -ef while myexe is running will be able to see the password. 在myexe运行时执行ps -ef任何人都可以看到密码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.