Additionally command line parameters are always readable /proc/$YOUR_PROCESS_PID/cmdline [1]
There are workarounds but it's fragile. You may accept the risks and in that case it can work for you but I wouldn't recommend it for "general security". Seems it wouldn't be considered secure if everyone did it this way, therefore is it security through obscurity?
[0] https://unix.stackexchange.com/questions/156859/is-the-data-...
[1] https://stackoverflow.com/questions/3830823/hiding-secret-fr...
The launching process would send a random password through stdin to the child after launch, and the child would use that to authenticate the further RPC calls.
It's surprisingly hard to intercept a process' stdin stream.
Meanwhile, I was an avid user of the echo secret | ssh consume approach, specifically for the kerberos authentication.
In my workflow, I saved the kerberos password to the macOS keychain, where kinit --use-keychain authenticated me seamlessly. However this wasn't the case for remote machines.
Therefore, I have implemented a quick script that is essentially
security find-generic-password -a "kerberos" -s "kerberos-password" -w | ssh user@host kinit user@REALM
re: the /proc concerns - true, but if someones got same-user access to read your /proc/pid/fd, they can probably ptrace you or read process memory anyway. stdin is more about basic hygiene than stopping sophisticated attackers.
tbh for anything actually sensitive I've been leaning toward tmpfs files with strict perms, or using something like vault/age. stdin is a nice middle ground tho for quick scripts.
man keyctl
kevin_thibedeau•1h ago
The world doesn't exclusively use Chrome. Nice to see even the nerds are contributing to the closed web.
edwcross•50m ago
swiftcoder•47m ago
ErroneousBosh•46m ago
I also wonder what they're using and where can I get some so I can break stuff too?
guerrilla•25m ago
In case anyone is wondering: https://www.falkon.org/about/
efilife•46m ago
mhitza•40m ago
figmert•3m ago
Alex-Programs•3m ago