stackoom
  简体   繁体   中英

Does the expect's 'spawn' command passes the parameters securely?

 原文  2016-01-04 14:17:56       linux/ bash/ passwords/ expect/ spawn

Question

I have the following expect script which executes 'myexe' and passes some password as argument: 

#!/usr/bin/expect
gets stdin pwd

log_user 0

eval spawn "/myexe ${pwd}"

log_user 1
expect eof
catch wait result
exit [lindex $result 3]

My executable 'myexe' is compiled Linux executable (not shell script) and the goal is to pass a password securely to it. Unfortunately the executable doesn't read the stdin for the password, but instead expects it as a start parameter.

When I execute the following expect script I cannot see my 'myexe' executable with 'ps'. Does somebody know if the 'spawn' performed by the expect is secure enough? Would the password be visible somewhere else (/proc for instance)?

1 answers

solution1
 0 ACCPTED  2016-01-04 14:28:23

Don't use eval here. It could be disastrous, depending on the contents of the password. This should suffice: 

spawn /myexe $pwd

Anyone doing a ps -ef while myexe is running will be able to see the password.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question What does spawn ,expect and send command in linux/unix Two commands or command pipe command - Spawn Expect Use environment variable in expect spawn command How does Linux's sort command apply subsequent passes to data? How do I use .bashrc command inside expect spawn command Expect's spawn interprets ssh's -i as it's own Spawn in nodejs for a unix command with spaces in parameters Pipe output with expect spawn bash command redirection in expect script failing with permission denied (spawn ssh user@host command > outfile) Can expect spawn a bash function?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM