Question

How to hide "system" function execution in a C program from ps?

Asked by: rrajeshekhar

In a 'C' program, if I write a line something like as follows:

system ("echo password | gpg --no-tty -q --passphrase-fd 0 -d add2numbers.sh.asc | bash -s 3 4");

where I am decrypting an encrypted script file, add2numbers.sh.asc using GnuPG (i.e. gpg) tool and executing the script. To decrypt the file, I need to provide the password. Here is the security matters. When I am executing the corresponding executable, I can see the password through "ps" command in linux.
So, please provide me a solution how to hide the password when executing a statement using "system" function.

THANKS IN ADVANCE for any small help.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2008-07-09 at 01:16:41ID23549391
Tags

ps

,

hide

,

system

,

function

,

c

Topics

C Programming Language

,

Linux Programming

,

Encryption for Network Security

Participating Experts
4
Points
500
Comments
46

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. tty
    what is tty ?
  2. stdin: is not a tty
    problem is this: everytime I try to scp into this one box I get this error: [joe@www samba]$ scp id_rsa id_rsa.pub xxx@www.xxx.com:~/.ssh stdin: is not a tty [joe@www samba]$
  3. encrypt and decrypt file using bash script
    hello.....can anybody teach me how to encrypt and decrypt file using bash script .....i really don't know how to do it...plz...
  4. GnuPG --passphrase-fd  option in BASH
    Fedora C2. I need to encrypt a file received by a CGI script and be able to decrypt it later. I need these processes automated. I have made the following test script that I hoped would do both and can be split later: #!/bin/bash rm -f encrypted cat phrase | gpg --batch...
  5. Boot error: Can't access TTY: job control disabled
    I just built a new computer with the DG965WH intel board and using RAID 0. Have a DVD/CD drive connected via IDE. Decided to try out XGL so downloaded Ubuntu and on boot got the error Can't access TTY: job control disabled and it drops me to a limited access shell. Then ...
  6. kill tty
    How do you kill i.e. this tty session? User tty login@ idle JCPU PCPU what root pts/0 Thu11AM 21:20 5:24 0 -ksh

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: evilrixPosted on 2008-07-09 at 01:20:49ID: 21961461

>> please provide me a solution how to hide the password when executing a statement using "system" function.
I don't believe there is anyway you can prevent the. The solution is not to use the system function but to do this in code.

What is it you are trying to achieve here? Lets see if we can find a C way of doing it.

 

by: sunnycoderPosted on 2008-07-09 at 01:23:02ID: 21961463

read the password from a file and restrict the permissions on that file.
or
read pass word interactively from user
or
include password in the code - a hardcoding

All methods have some weakness
first and last store password in clear text so there are chances of password being compromised. Second one cannot run without user interaction.

Yet another option is to keep the password encrypted in a file.

 

by: rrajeshekharPosted on 2008-07-09 at 02:11:57ID: 21961658

>> please provide me a solution how to hide the password when executing a statement using "system" function.
>>>I don't believe there is anyway you can prevent the. The solution is not to use the system function but to do this in code.

>>>What is it you are trying to achieve here? Lets see if we can find a C way of doing it.

In the 'C' program, I am executing a bash inline statement, where I have to supply a public key (password) to the gpg command to decrypt the encrypted file, add2numbers.sh.asc.

system ("echo password | gpg --no-tty -q --passphrase-fd 0 -d add2numbers.sh.asc | bash -s 3 4");

But while executing the corresponding 'C' code, if anyone tries to crack the key, he can do it easily by doing a "ps -ax", where he can see the same statement as one process.
He can easily see the public key, "password".

I am trying to give protection to all the shell scripts and some flat configuration files by encrypting them and trying to run them after decrypting and executing from a 'C' program through "system" function. But system function reveals everything when you check the process status through "ps -ax" command.

 

by: rrajeshekharPosted on 2008-07-09 at 02:18:56ID: 21961692

>>read the password from a file and restrict the permissions on that file.
>>or
>>read pass word interactively from user
>>or
>>include password in the code - a hardcoding

You are right. But this is not the best solution. Changing the permission will not help as the intruder can have admin priviledges.

>>All methods have some weakness
>>first and last store password in clear text so there are chances of password being >>compromised. Second one cannot run without user interaction.

>>Yet another option is to keep the password encrypted in a file.

Again the same problem to decrypt this file. How to hide this second password again?

 

by: Infinity08Posted on 2008-07-09 at 02:20:55ID: 21961699

If you still want to use system, then you could do something like :

system ("gpg --no-tty -q --passphrase-fd 0 -d add2numbers.sh.asc < pwd.txt | bash -s 3 4");

where pwd.txt is a text file that contains the password.
If that text file is only readable by the user that runs your application, then seeing the ps entry won't help a cracker much, since he doesn't have access to the pwd.txt file.

I'd still recommend to take note of evilrix's suggestion not to use system though. Consider using a combination of fork and exec instead :

       http://www.yolinux.com/TUTORIALS/ForkExecProcesses.html

 

by: sunnycoderPosted on 2008-07-09 at 02:22:38ID: 21961705

key to the file can be coded into your program.

If intruder has admin priv then password has already been compromised and system is anyway doomed. There is little any password hiding trick can do to save your system.

 

by: Infinity08Posted on 2008-07-09 at 02:23:08ID: 21961707

>> >>read the password from a file and restrict the permissions on that file.

Oops, it seems sunnycoder already suggested that. Sorry.


>> Changing the permission will not help as the intruder can have admin priviledges.

If the intruder has admin privileges with full access to the system, there isn't really anything you can do to automate this. The password will have to be stored somewhere somehow.

 

by: rrajeshekharPosted on 2008-07-09 at 02:48:49ID: 21961821

>>Infinity08:
>>If you still want to use system, then you could do something like :

>>system ("gpg --no-tty -q --passphrase-fd 0 -d add2numbers.sh.asc < pwd.txt | bash -s 3 4");

>>where pwd.txt is a text file that contains the password.
>>If that text file is only readable by the user that runs your application, then seeing the ps entry won't help a cracker much, since he doesn't have access to the pwd.txt file.

I repeat the intruder can be a system administrator.

>>I'd still recommend to take note of evilrix's suggestion not to use system though. >>Consider using a combination of fork and exec instead :

I am not at all particular of using "system" or "fork" and "exec". The basic problem is that I need to execute a command where I am passing a key. I am not able to hide that key.

Use of "fork"+"exec" or "system" to execute any command displays that command through "ps -ax".

 

by: evilrixPosted on 2008-07-09 at 02:51:43ID: 21961838

>> I repeat the intruder can be a system administrator.
Once physical access to the box has been achieved there is little you can do to protect. Especially if the intruder has admin rights.

 

by: rrajeshekharPosted on 2008-07-09 at 02:55:45ID: 21961852

>>key to the file can be coded into your program.
HOW?

>>If intruder has admin priv then password has already been compromised and system is anyway doomed. There is little any password hiding trick can do to save your system.

Cracking the public key stored by GNUpg is not very easy. The public key is generated by an intelligent program which is regenrated by the 'C' program I am talking about. This key is matched with the public key stored in the target machine to allow any encrypted script to get executed. If the intruder has admin priviledge, that does not mean he can do anything he wants. Am I right!!!

 

by: sunnycoderPosted on 2008-07-09 at 02:55:57ID: 21961853

you need password to be somewhere on the system or accessible to the system. Admin can access entire system and everything that is accessible to your system. So nothing we do will help you in this case.

 

by: Infinity08Posted on 2008-07-09 at 02:56:33ID: 21961857

>> I am not able to hide that key.

As said : if your assumption is that the intruder will have superuser privileges, then you've already lost :) You're fighting a battle you can't win heh.


>> Use of "fork"+"exec" or "system" to execute any command displays that command through "ps -ax".

That's not your most important problem. If your intruder has superuser privileges, he can pretty much do whatever he wants, and he will probably not have to look at the ps output (that would require him to look at it at the exact right moment) to get the password, since he can simply retrieve it from the hard disk - wherever it's stored.

 

by: evilrixPosted on 2008-07-09 at 03:00:03ID: 21961871

>> that does not mean he can do anything he wants. Am I right!!!
There isn't much he can't do... I think if you've an admin rights intruder your problems go a lot beyond this one :)

 

by: sunnycoderPosted on 2008-07-09 at 03:00:04ID: 21961874

>This key is matched with the public key stored in the target machine toallow any encrypted script to get executed. If the intruder has
>adminpriviledge, that does not mean he can do anything he wants.
public key cryptography means that you need a secret private key for decryption and this key will be on the system or accessible to the system - again within the reach of intruder. You can use as strong an algorithm with as long a key as you want, but there is no way you can prevent the key from being compromised

 

by: rrajeshekharPosted on 2008-07-09 at 03:04:22ID: 21961892

>> I repeat the intruder can be a system administrator.
>>>Once physical access to the box has been achieved there is little you can do to protect. Especially if the intruder has admin rights.

Protecting in what way? By storing a file which stores the key.
Or he can do whatever he wants? I don't think so.

I have mechanism in place to protect the code. But I cannot store a file physically on disk which will be holding the key/password. The password/key handshaking should happen in memory.

 

by: Infinity08Posted on 2008-07-09 at 03:07:54ID: 21961905

>> I have mechanism in place to protect the code.

If the intruder has superuser priviliges, then he has access to the code ;) I'm not sure how you intend to protect against that.


>> The password/key handshaking should happen in memory.

Yes, but where does your application get the password from ? It has to be stored somewhere ...

 

by: rrajeshekharPosted on 2008-07-09 at 04:21:41ID: 21962312

It is an effort to make the decryption of files diffcult and give a feeling to the intruders that the code is protected in some way. Nothing is impossible in this earth. Anything can be cracked. But here it is not the situation where you will find intruders sitting all around. Here the intruders are lazy enough to dig into the problem of cracking some algorithm :) so no need to worry for that.

Just to make the things difficult to unhide the encrypted code, we always follow some protocol and we will also be following the same.

Instead of going beyond the context and fighting for the system security issue, let's focus on the actual point. What would be the best way to follow so that password/key handshaking should not happen on disk and the key should not get revealed easily for the problem I am talking about?

 

by: evilrixPosted on 2008-07-09 at 04:27:12ID: 21962336

>> What would be the best way to follow so that password/key handshaking should not happen on disk and the key should not get revealed easily for the problem

I've already answer that, write it as native C solution. As long as you execute system() you'll leave a foot-print in ps, there is no way (simply) to avoid this. The only other way is to store the data in a file but you have ruled this out.

BTW: Even doing it in native C code isn't secure in so far a it is possible to reverse engineer a compiled program.

Basically as long as someone has admin access to the box there is little you can do to protect this. This isn't off topic, it is a fundemental point to the question you are asking. Once physical access is attained all security bets are off.

 

by: Infinity08Posted on 2008-07-09 at 04:37:09ID: 21962394

>> Here the intruders are lazy enough to dig into the problem of cracking some algorithm :)

An intruder who is dedicated enough to obtain superuser access to a machine, but would be stopped by an algorithm ? That doesn't sound very plausible.


>> Instead of going beyond the context and fighting for the system security issue

I thought that was exactly the issue : system security has been compromised because an intruder obtained superuser privileges. So, you're basically trying to keep data safe on a compromised system. It's like putting your money in a bank that you know has the doors and the safe wide open, and expecting that your money will be safe.

 

by: rrajeshekharPosted on 2008-07-09 at 04:45:05ID: 21962440

>>I've already answer that, write it as native C solution. As long as you execute system() you'll leave a foot-print in ps, there is no way (simply) to avoid this.
Forget about system(). Now, I think I have to remove the system() function from the glibc. haha. It was a function to explain my problem to you. Not all particualr about this function call.

>>The only other way is to store the data in a file but you have ruled this out.
yes.

>>BTW: Even doing it in native C code isn't secure in so far a it is possible to reverse engineer a compiled program.
Aha...gr8. please tell me how can I do it in native C code. Forget about reverse engineering of 'C' code. It is not possible for the type of intruders I am talking about.

>>Basically as long as someone has admin access to the box there is little you can do to protect this.
We know the type of intruders. Plzzzzz do not worry for this.

>>This isn't off topic, it is a fundemental point to the question you are asking. Once physical access is attained all security bets are off.
The whole story is not explained to you. Because of patent issue. I bet it is hard to crack my system evenif somebody is getting the full physical access to all the encrypted files.

I am neither particular about C nor any particualr language.

 

by: Infinity08Posted on 2008-07-09 at 04:51:55ID: 21962481

>> It is not possible for the type of intruders I am talking about.

That doesn't make sense. An intruder that has the skills to gain superuser privileges surely has the knowledge to get a password out of an executable. If you're not careful, a simple

        strings executable

will already reveal it.


>> We know the type of intruders. Plzzzzz do not worry for this.

Care to elaborate, because I don't understand.

 

by: rrajeshekharPosted on 2008-07-09 at 04:55:34ID: 21962509

>>>>An intruder who is dedicated enough to obtain superuser access to a machine, but would be stopped by an algorithm ? That doesn't sound very plausible.

I am repeating reverse engineering of my system is not that easy. I am betting on this.

>>>I thought that was exactly the issue : system security has been compromised because an intruder obtained superuser privileges. So, you're basically trying to keep data safe on a compromised system. It's like putting your money in a bank that you know has the doors and the safe wide open, and expecting that your money will be safe.

There is difference between my doors being open and illusion of being opened. So it is not only the gpg tool which protects my system, but also many other security features. I have security guards, tankers, big battalion in the bank to protect my money. HAHA. Don;t worry for that.

 

by: evilrixPosted on 2008-07-09 at 04:57:43ID: 21962525

>> I am repeating reverse engineering of my system is not that easy. I am betting on this.
Security by naivety is not security.

>> I have security guards, tankers, big battalion in the bank to protect my money
Would they see a mouse slip in?

 

by: evilrixPosted on 2008-07-09 at 04:59:31ID: 21962536

Anyway, the question was, "please provide me a solution how to hide the password when executing a statement using "system" function."

The answer is, there is no simple way to do this, especially with the additional restrictions imposed subsequently.

 

by: Infinity08Posted on 2008-07-09 at 05:06:27ID: 21962602

>> So it is not only the gpg tool which protects my system, but also manyother security features. I have security guards, tankers, big battalionin the bank to protect my money. HAHA. Don;t worry for that.

Euhm, if the doors are open, I'll simply throw in a bomb (with sleeping gas ;) ), watch the battalion get blown up, then simply stroll in and walk out with the money.
Or for your system : you do realize that a superuser can disable whatever security measures you put in, don't you ?


We are trying to give you good advice here, but if you still stand by this :

>> I am repeating reverse engineering of my system is not that easy. I am betting on this.

then what's the problem really ? You obviously have thought of everything, and since the intruders won't pose a problem (except for looking at the ps output), you can simply use any of the techniques already suggested.

I don't want to bet on it being secure like you would though.

 

by: evilrixPosted on 2008-07-09 at 05:12:17ID: 21962649

>> Not a great solution!!! Please do not divert yourself from the question when you do not have the proper solution.
I can't give you a solution if there isn't one to give. The answer I have given you is correct, it is not wrong in any way.

We were not diverting from the problem, we were trying to ensure you were aware of the scope of it. The question and some of your comments suggest you really are not and it would be irrisponsible for us to give you a half-baked solution without making sure you are aware of the implecations of what you are trying to do!

If you still feel like we have not assited you then I suggest you reopen the question and wait for additional answer.

 

by: evilrixPosted on 2008-07-09 at 05:17:39ID: 21962692

>> I suggest you reopen the question and wait for additional answer.
In fact I'm going to do this since (a) I am not happy with the comment you have posted in your close comemnt and (b) I don't think this Q actually adds anything useful for the PAQ database!

http:Q_23549882.html

I8, I hope you don't object.

 

by: rrajeshekharPosted on 2008-07-09 at 05:29:52ID: 21962775

>>> Not a great solution!!! Please do not divert yourself from the question when you do not have the proper solution.
>>I can't give you a solution if there isn't one to give. The answer I have given you is correct, it is not wrong in any way.

>>We were not diverting from the problem, we were trying to ensure you were aware of the scope of it. The question and some of your comments suggest you really are not and it would be irrisponsible for us to give you a half-baked solution without making sure you are aware of the implecations of what you are trying to do!

>>If you still feel like we have not assited you then I suggest you reopen the question and wait for additional answer.

evilrix!!! Please do not feel bad for the comments. When I am talking about gpg, please do not think the security problem is over there. Same here as well. My research is on that. I have lot many other features which secure my system. I have remote system key-exchange mechanism in place. I have developed file-tampering tool with encryption/decryption mechanism. Developed my own advanced cryptic script-obfuscator, root-user abator and few others. I am not going to explain how my system is secured over here. It is a place where experts reside and I appreciate your efforts. But come to the point and answer to the question. Please do not dig into the issue which user does not want to reveal. If there is no solution, then say "No, not possible". That would have answered my question.

Anyway Thanks for the efforts.

 

by: evilrixPosted on 2008-07-09 at 05:33:37ID: 21962804

>> But come to the point and answer to the question
>> If there is no solution, then say "No, not possible". That would have answered my question.

I did that in my very first post (the very first post to this thread) http:#21961461
"don't believe there is anyway you can prevent the. The solution is not to use the system function but to do this in code"
Which part of that wasn't clear enough for you?

We then endevoured to try and find an alterative but lack of infomation from you made this unfeasable.

 

by: Infinity08Posted on 2008-07-09 at 07:36:57ID: 21964068

>> I am not going to explain how my system is secured over here.

If an intruder gaining superuser access is considered "normal", then I wouldn't say the system is secure ;)

 

by: evilrixPosted on 2008-07-10 at 00:29:06ID: 21971174

>> How should we dispose of this question? Rx suggested a simple delete, but I'll entertain recommendations.
I'd just leave it open until either clean-up or the OP decides to close it himself properly. I don't object to the C grade, if that's what the OP feels it's worth then so be it but I do object to the implication that we were not being helpful. Questions regarding security issues cannot just be answered with glib responses since they could lead the Asker down a path that leaves them at risk. All the experts in this thread were trying to ensure the OP understood the implications of what he was doing. It is clear from some of the reeponses that this may not be the case. Maybe we are just too caring :)

 

by: sunnycoderPosted on 2008-07-10 at 06:36:12ID: 21973202

I feel that evilrix and infinity08 were right in trying to make the asker realize that the approach he is proposing to take is fraught with peril. However, apparently asker seems to be sure that this is the way he wants to take.

It is unlikely that a discussion would now ensue in this thread. I would suggest opening another thread with all the constraints laid out in the question itself. That way there is a better chance of having a discussion that is useful to the asker.

This question can probably be awarded without adding to PAQ database - Is that possible?

 

by: evilrixPosted on 2008-07-13 at 23:43:37ID: 21996085

No objection, but just to point out this Q was answered correctly. {http:#21961461}
My objection was to the unnecessary comment made against the closure.

 

by: PaulCaswellPosted on 2008-07-14 at 02:10:53ID: 21996617

My 2c worth,

The initial opinion of the experts was, essentially, 'there's no point trying because if an intruder can see the command line they can see everything else anyway'.

When asker attempted to guide his question towards 'forget whether its worth it, can it be done' experts seemed unable to divert themselves.

If someone had suggested something like 'download gpg source and make a library out of it' then perhaps asker would have realised that although there are solutions they are essentially unfeasible.

To my mind, a C grade is a little harsh. The advice being given was essentially the best advice.

To my mind, asker was correct in pointing out that experts had not allowed themselves to be diverted but the wording of the note seems a little OTT to a native English speaker.

I hope I haven't ruffled any feathers. :)

Paul

 

by: evilrixPosted on 2008-07-14 at 02:16:27ID: 21996644

>> I hope I haven't ruffled any feathers
Hi Paul, Nope. :)

The essence here is that we were trying to ensure the OP understood the implications of what he was trying to do. This was not apparent (to me at least) from the responses we were getting. I did point out that given the original requirements it couldn't be done. This was embodied in my first post.

 

by: evilrixPosted on 2008-07-14 at 02:17:30ID: 21996645

Um, why are my comments suddenly in Orange?

 

by: Infinity08Posted on 2008-07-14 at 02:22:28ID: 21996665

You are right, Paul. But I don't want to be responsible for giving a false sense of security, by omitting important advice. When it comes to security, nothing is unimportant, so the statement that we shouldn't worry about the fact that intruders gaining superuser privileges is considered normal and harmless, brings out large red flags, flashing lights and alarms everywhere for me. I cannot ignore that heh.

But yes, I agree with your analysis ;) I will not allow myself to be diverted on this lol.

 

by: rrajeshekharPosted on 2008-07-14 at 23:32:15ID: 22004545

Dear PaulCaswell, evilrix and Infinity08,
I am very sorry to see you all fighting for the grade given to the solution. The grade is given from my side considering all factors. The type of solution given is very straight forward without giving much details about it.
If you see all the conversations one after another, it seems like you all are focussing on the same issue which is not that serious for me. I appreciate Mr. Evilric and Mr. Infinity08 to bring out the the issue of how insecure my system is. But I wanted you all to tackle the problem little differently. As Mr. PaulCaswell came up with a possible solution "why not library of GPG?", that could have been helpful to me. Seriously speaking I tried that, but it is going to take little bit more time for me to dig into its API's and use them. But I found the solution in gpg itself (Running gpg-agent as a service will solve the purpose by placing the password/passphrase/key in memory for few use-defined seconds. gpg-client can read the passphrase withe help of gpg-agent by reading the same from memory location). Please read the following excerpts from the link,
http://ohioloco.ubuntuforums.org/showthread.php?t=819719 where the GPG-developers talk about the security of GnuPG.
---------------------------------------------------------------------------------------------------------------------------
"How secure is GnuPG? Who really knows? Only the NSA knows for sure -- and you think they would tell us? By best accounts from the world's leading mathematicians however, the algorithms used with GnuPG today would take the best computer, many years to break (if at all). Again however, the downside of gnupg, is the loss of the password, or private keys. Its much easier for a rogue per se to do something to obtain the keys through subversive another process, than break the underlying algorithm."
---------------------------------------------------------------------------------------------------------------------------
Apart from this GnuPG tool , we have many other secured mechanisms in place. So, for the time-being this much of security is enough for our initial version of our software, which does not worth it. Later on we will come up with better secured mechanism for our next version.

If suppose I will ask a fresher in Linux domain, I will ask the same question then he would have come up with the similar comments what Mr. Evilixr and Mr. Infinity08 had given. Super-user permission!!!! ==> "No security at all". This much of sense I too have my dear friends. So, when I am repeating many a time not to worry about for that, you people did not listen at all. I felt I am in a discussion forum which is not going to help me more than what they have already discussed. So, I purposefully closed the question with some grade. But as Mr. PaulCaswell mentioned, I became little harse in the grade side. For this I am very sorry to the group. My kind request to you all to help others and attack the right point what the asker is battling for.
There are one more solution for the problem I had asked for. Please read the following link.
http://www.uaex.edu/srea/Hiding_Passwords_From_Unix_ps_Command.htm
But this is not a perfect solution. If you do "ps -ax", it may not show the command, but if you grep the particular process from "ps -ax", it will show you the whole command totally. And the root user can read the "proc" files by some means easily to get the password.

I found the solution along with your support :)  THANK YOU ALL FOR ALL YOUR SUPPORT. Please delete the question!!!

 

by: rrajeshekharPosted on 2008-07-15 at 02:30:21ID: 22005273

sunneycoder,
I apologise for being rude and for my statements being insulting. I am very sorry to the community.

Expecting Gurus, Sages to provide me correct path (which they are providing) "quickly" if they can without repeated suggestions as I cannot buy time. And here I have been helped out lot of times. Thank you all for that.

All these things happened as I could not give them a clear picture (which I cannot for lot of reasons, please understand) what are the security measures I am taking for my system. Please do not offend the asker when he/she is confident about something. I am ready to take your suggestions as really those are valuable. But my kind request not to dig into the problem which I do not want to reveal.

(FYI: There are lot of third party softwares available in windows and linux, which do not require the passwords or keys to be available remotely all the time. And it is not an "easy" task all the time to crack a system, evenif you have super-user privileges. It is matter how to make the intruders' task harder to crack the system-security, not to make it impossible.)

Sorry once again.
-Regards

 

by: evilrixPosted on 2008-07-15 at 02:38:29ID: 22005309

>> I am ready to take your suggestions as really those are valuable
I have answered this Q in my first post, all other suggestions made were additional to this and were an attempt to try and assist you further, beyond the scope of the original question. I have nothing further to add.

Please also note that I find myself unable to assist those who are rude and offensive to those who are only trying to help them. A belated apology once you've calmed down does not, in my book, excuse your original behavior (especially as you had no reason to be 'un-calm' in the first place) and I am no longer willing to assist you in this or any other thread anymore than I have already done.

Note to ZAPE: I would request you DO NOT remove this comment.

 

by: evilrixPosted on 2008-07-15 at 02:39:11ID: 22005313

BTW: Why are my posts all orange? Also, why are the OPs. What is going on here?

 

by: rrajeshekharPosted on 2008-07-15 at 04:00:18ID: 31474721

solution provided!!! thank you.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...