Let's say I have written a Perl script called "foo.pl" that takes in a password argument via the -p switch.
However, while it is running, anyone can do a ps and see the entire command-line string, including the password:
$ ps a |grep 'foo\.pl'
32310 pts/4 S+ 0:00 /usr/bin/perl -w ./foo.pl -p password
32313 pts/5 S+ 0:00 grep foo.pl
What is the easiest/simplest way to hide the password and replace it with something like xxxxxx?
Ask for the password from inside the script, so you don't have to pass it as an argument.
Update
Apparently this work for me, simulating a mysql behaviour:
#!/usr/bin/perl
($0 = "$0 #ARGV") =~ s/--password=\K\S+/x/;
<STDIN>;
$ ./s --user=me --password=secret
^Z
$ ps
PID TTY TIME CMD
1637 ttys000 0:00.12 -bash
2013 ttys000 0:00.00 ./s --user=me --password=x
Under MacOS 10.6
Passing passwords on the command line is not really a good idea, as already mentioned.
But: you can usually (it is OS-dependent) change the name that is shown by ps by assigning to $0.
e.g. (tested on Linux)
$ cat secret.pl
#!/usr/bin/perl
$0 = "my secret perl script";
sleep 15;
$ ./secret.pl -p foobar &
[2] 426
$ ps a | grep perl
426 pts/0 S 0:00 my secret perl script
428 pts/0 S+ 0:00 grep perl
See the section on $0 in the perlvar manpage for details.
There are a couple of ways to go. The most immediate is to (like sidyll says) prompt for the password in the actual script. Don't put in on the command line, and you won't have to hide it.
Another option is a private password file. This file can be read through shell interpolation, but it's still kind of a kludge.
You could add a bit more flexibility to the private password file by wrapping your script in a "launcher" script. Essentially, you write a script whose sole purpose is to "set up" the password file, and then launch your real script.
Related
When I was checking processes of perl using ps aux | grep perl the list of perl pid's got listed where its waiting in queue. so i started investigating how this processes got initiated /usr/local/bin/processLogs. I wanted to know what does -w meant in this process execution /usr/bin/perl -w /usr/local/bin/processLogs.
[root#test]# ps aux | grep perl
root 4223 1.6 0.0 132560 4576 ? R 03:11 1:06 /usr/bin/perl -w /usr/local/bin/processLogs
root 4233 1.3 0.0 132560 4552 ? R 03:11 0:55 /usr/bin/perl -w /usr/local/bin/processLogs
root 4246 1.1 0.0 132560 4552 ? R 03:11 0:49 /usr/bin/perl -w /usr/local/bin/processLogs
root 4259 1.0 0.0 132560 4548 ? R 03:11 0:44 /usr/bin/perl -w /usr/local/bin/processLogs
root 4272 0.8 0.0 132560 4544 ? R 03:11 0:33 /usr/bin/perl -w /usr/local/bin/processLogs
root 4288 0.6 0.0 132560 4580 ? R 03:11 0:28 /usr/bin/perl -w /usr/local/bin/processLogs
If you run perl -h you will get the help menu, where it says for -w:
-w enable many useful warnings
This simply enables warnings. If this program is run in an automatic process, the warnings may be redirected to a log where you can read them. Assuming there are any warnings. You will need to refer to the program file processLogs to see what the program does.
Typically, an experienced user will not use -w, but prefer to use the lexically scoped use warnings instead.
The full output:
$ perl -h
Usage: perl [switches] [--] [programfile] [arguments]
-0[octal] specify record separator (\0, if no argument)
-a autosplit mode with -n or -p (splits $_ into #F)
-C[number/list] enables the listed Unicode features
-c check syntax only (runs BEGIN and CHECK blocks)
-d[:debugger] run program under debugger
-D[number/list] set debugging flags (argument is a bit mask or alphabets)
-e program one line of program (several -e's allowed, omit programfile)
-E program like -e, but enables all optional features
-f don't do $sitelib/sitecustomize.pl at startup
-F/pattern/ split() pattern for -a switch (//'s are optional)
-i[extension] edit <> files in place (makes backup if extension supplied)
-Idirectory specify #INC/#include directory (several -I's allowed)
-l[octal] enable line ending processing, specifies line terminator
-[mM][-]module execute "use/no module..." before executing program
-n assume "while (<>) { ... }" loop around program
-p assume loop like -n but print line also, like sed
-s enable rudimentary parsing for switches after programfile
-S look for programfile using PATH environment variable
-t enable tainting warnings
-T enable tainting checks
-u dump core after parsing program
-U allow unsafe operations
-v print version, patchlevel and license
-V[:variable] print configuration summary (or a single Config.pm variable)
-w enable many useful warnings
-W enable all warnings
-x[directory] ignore text before #!perl line (optionally cd to directory)
-X disable all warnings
Run 'perldoc perl' for more help with Perl.
I know that grouping commands(command-list) creates a subshell environment, and each listed command is executed in that subshell. But if I execute a simple command in the grouping command, (use the ps command to output the processes), then no subshell process is output. But if I tried to execute a list of commands (compound command) in the grouping command, then a subshell process is output. Why does it produce such a result?
A test of executing a simple command (only a ps command) in a grouping command:
[root#localhost ~]# (ps -f)
with the following output:
UID PID PPID C STIME TTY TIME CMD
root 1625 1623 0 13:49 pts/0 00:00:00 -bash
root 1670 1625 0 15:05 pts/0 00:00:00 ps -f
Another test of executing a compound command(a list of commands) in a grouping command:
[root#localhost ~]# (ps -f;cd)
with the following output:
UID PID PPID C STIME TTY TIME CMD
root 1625 1623 0 13:49 pts/0 00:00:00 -bash
root 1671 1625 0 15:05 pts/0 00:00:00 -bash
root 1672 1671 0 15:05 pts/0 00:00:00 ps -f
I tested a lot of other commands (compound commands and simple commands), but the results are the same. I guess even if I execute a simple command in a grouping command, bash should fork a subshell process, otherwise it can't execute the command. But why can't I see it?
Bash optimizes the execution. It detects that only one command is inside the ( ) group and calls fork + exec instead of fork + fork + exec. That's why you see one bash process less in the list of processes. It is easier to detect when using command that take more time ( sleep 5 ) to eliminate timing. Also, you may want to read this thread on unix.stackexchange.
I think the optimization is done somewhere inside execute_cmd.c in execute_in_subshell() function (arrows > added by me):
/* If this is a simple command, tell execute_disk_command that it
might be able to get away without forking and simply exec.
>>>> This means things like ( sleep 10 ) will only cause one fork
If we're timing the command or inverting its return value, however,
we cannot do this optimization. */
and in execute_disk_command() function we can also read:
/* If we can get away without forking and there are no pipes to deal with,
don't bother to fork, just directly exec the command. */
It looks like an optimization and dash appears to be doing it too:
Running
bash -c '( sleep 3)' & sleep 0.2 && ps #or with dash
as does, more robustly:
strace -f -e trace=clone dash -c '(/bin/sleep)' 2>&1 |grep clone # 1 clone
shows that the subshell is skipped, but if there's post work to be done in the subshell after the child, the subshell is created:
strace -f -e trace=clone dash -c '(/bin/sleep; echo done)' 2>&1 |grep clone #2 clones
Zsh and ksh are taking it even one step further and for (when they see it's the last command in the script):
strace -f -e trace=clone ksh -c '(/bin/sleep; echo done)' 2>&1 |grep clone # 0 clones
they don't fork (=clone) at all, execing directly in the shell process.
TL;DR :
I want to get the command running (if running) in the /bin/bash processes.
I want a script that can identify in the /bin/bash process the command /bin/bash is running. Tried to find it in /proc/[pid]/cmdline but it only show /bin/bash.
Is there a way to do this or what I'm wondeing is impossible. :o
I'm asking because when I run a ps -ef, some processes (like ssh) show how they'r running.
user 30410 30409 0 10:58 pts/0 00:00:00 ssh name#127.0.0.1 <-- here
There is the ssh command fully printed.
We can see the same if I do the command ps -ef | grep "/bin/bash", it return :
user 20080 4999 0 13:40 pts/9 00:00:00 grep /bin/bash <-- here
There is the command grep /bin/bash printed.
But if I run a bash loop like while true; do echo "hello"; done
And then I do ps -ef | grep "while" It return nothing !!!
that depends on what type of command are you looking for.
for external commands running from a shell, "ps -efH" shows you a hierarchical list of running processes, which you can then find the info you need.
bash built-in commands doesn't show up on ps list, you will have to enable script debugging using "set -x" and then monitor the stderr to see what the script is doing.
To answer the edits you made:
while is a built-in, so it doesn't show up. but the "echo" will show up in the "ps -efH" output i mentioned above.
Shell module, Shell.pm, does not seem to run shell commands with Centos 7.4.
For instance following script is OK with Centos 6.4:
#!/usr/bin/perl
use Shell qw(ps);
$cmd=ps;
print $cmd . "\n";
Result is as expected:
PID TTY TIME CMD
29090 pts/1 00:00:00 bash
29325 pts/1 00:00:00 test.pm
29326 pts/1 00:00:00 ps
But with Centos 7.4
#!/usr/bin/perl -I /usr/share/perl5/CPAN
use Shell qw(ps);
$cmd=ps;
print $cmd . "\n";
Result is:
ps
If i add to the previous script:
cat("/etc/passwd");
Following error is raised:
Undefined subroutine &main::cat called at ./test.pm line 10
With a real script none of system commands are well interpreted. Should I rewrite everything with system('command')!?
Finally I succeeded to make it work !
Installation was not quite good.
I had to run :
cpan App::cpanminus
then
cpanm Shell
I'm trying to start an application (newsbeuter) at boot but I can't.
I'm tyring with:
tmux new-session -d -s main
tmux new-window -t main:1 '/usr/bin/newsbeuter'
Tmux is up but the newsbeuter dont start:
ps -ef | grep -i tmux
root 2118 1 0 16:09 ? 00:00:00 tmux new-session -d -s main
pi 2245 2211 0 16:09 pts/1 00:00:00 grep --color=auto -i tmux pi#raspberrypi
ps -ef | grep -i news
pi 2247 2211 0 16:09 pts/1 00:00:00 grep --color=auto -i news
Could you help me please?
Many thanks and sorry for my english!
Upon startup, Newsbeuter will look for URLs file, first in $XDG_CONFIG_HOME/.config/newsbeuter, then in ~/.newsbeuter (the file should be named urls). If it doesn't find any, it will quit with an error message. I'm supposing that's what's happening in your case: since you're starting things from /etc/rc.local, your $HOME is not your user's, so Newsbeuter doesn't find the file and quits.
One way to correct this would be to su into your user before starting Newsbeuter.
Another would be to provide the path to urls explicitly with --url-file=/home/username/.newsbeuter/urls (and also --cache-file, probably --config-file as well).
To see a possible error message, do tmux set set-remain-on-exit before the tmux new-window, and afterwards attach to the new window and press Ctrl-B Page Up.