bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: maybe a bug in bash?


From: Dominique Martinet
Subject: Re: maybe a bug in bash?
Date: Sat, 1 Jul 2023 05:47:33 +0900

Greg Wooledge wrote on Fri, Jun 30, 2023 at 10:36:36AM -0400:
> > then as Greg suggested pass password to bash as argument instead;
> > assuming password has been quoted once as previously:
> > ssh user@machine << EOF
> > bash -c 'echo \$1' -- $password
> > EOF
> 
> I never suggested embedding the password inside an unquoted here document.
> My suggestion was more like this:
> 
> ssh user@machine bash -s "${password@Q}" <<'EOF'
> echo "$1"
> EOF

hm, this has the password show up in ps on the box executing ssh;
depending on the context that can be bad.

It does simplify the content of the here-doc a bit because it doesn't
require escaping, but the password itself still needs one layer of
escaping (so in his example not ${password@Q} but ${initial_password@Q}
or $password), and we don't know enough to know if showing up in ps can
be important but passwords have generally been recommended to be passed
through stdin
(The here-doc can use a file as backing so it's not necessarily great
either, but hopefully /tmp will be tmpfs and it'll only be readable by
root as opposed to readable by anyone who can read /proc which is pretty
much everyone by default)


Anyway, I agree on need-more-info and I'll probably stop replying to
this; there's been enough helpful answers.

-- 
Dominique Martinet | Asmadeus



reply via email to

[Prev in Thread] Current Thread [Next in Thread]