> Ed Griffiths <edgrif at sanger.ac.uk> wrote:
> >happy to add code to saceclient to allow the userid/passwd to be specified on
> >the command line using "-userid your_userid -passwd your_passwd". I saw Tims
> >fix to the code which I will check and add to our source code, but I think the
> >command line options is a cleaner solution.
>> It's insecure that way; the complete command line (including userid and
> password) is then visible to any user on the system using ps. It's far
> preferable from a security point of view to be able to supply the user
> ID and/or password on standard input.
>> Of course, if you add the command line options and my patch, users have
> the choice to use either method (which is what, for example, the isql
> client for Sybase does).
Your patch is in the code.
I agree with you about the security stuff, I had forgotten that its possible to
get ps to print out the full command string.
An alternative would be for the saceclient to accept the userid and hashed
userid/passwd as command line arguments, this way only encrypted stuff would
appear on the command line. I already supply a utility to do the hashing and I
could make this more friendly as required. That way scripts that use saceclient
via a pipe could just use my utility to create the hash and bobs your uncle.
Those interested please reply and let me know what you think....
cheers Ed
------------------------------------------------------------------------
| Ed Griffiths, Acedb development, Informatics Group, |
| The Sanger Centre, Wellcome Trust Genome Campus, |
| Hinxton, Cambridge CB10 1SA, UK |
| |
| email: edgrif at sanger.ac.uk Tel: +44-1223-494780 Fax: +44-1223-494919 |
------------------------------------------------------------------------