Running a executable in another process without creating a new process

views:

303

answers:

+1 Q:

Running a executable in another process without creating a new process

I want a write a program that run an executable image without creating a new process... I want to do this because I want to use plink that send a password to a remote ssh server...

The plink program sends the password provided in command line .. If I use fork and exec functions someone can see the password provided in command line using process explorer or ps -aef or cat /proc//cmdline .. How to avoid this security hole..and this program has to be run on both linux and windows ..

well, why send the password in the beginning? use the password to encrypt some text+time stamp, and then send to authorize yourself?

and No, I don't know a way to call another program without creating a new process.

MadH 2009-10-08 12:34:43

If your worry is that the password is visible, you may be better off encrypting the password. An encrypted password has little value to the observer, so you can use methods like exec() and fork()

Adriaan 2009-10-08 12:36:35

+3 A:

Most programs which accept a password on the command line also accept it via a file, a pipe, or an environment variable. Why not use one of these other mechanisms?

Dark Falcon 2009-10-08 12:37:10

Environment variable works particularly well. Very little setup to use, and no trace on the file system at all.

Matthew Scharley 2009-10-08 12:39:13

unless you type 'export PASSWORD=iamgod' before you run the program, in which case it's in your command history...

Chris Huang-Leaver 2009-10-08 12:41:33

this program is plink..and it is a third party program

suresh 2009-10-08 12:42:25

Then use a public/private key pair as recommended in the plink documentation.

Dark Falcon 2009-10-08 12:57:10

There may also be a way to save the password in a session file and use the -load option. I did not try.

Dark Falcon 2009-10-08 12:57:47

Environment variables are visible via the /proc file system in exactly the same way the command line is. The only secure way to transfer the data is via an anonymous pipe or socket (i.e. not a disk file or network socket), but you can bind that to stdin/stdout of the child process before the fork obviously.

Andy Ross 2009-10-08 17:33:12

+3 A:

View this article Remote Code/Process Injection and Relocation. A method to inject an entire executable into another process (thereby avoiding the need for a DLL)

lsalamon 2009-10-08 12:46:34

this seems to be unreliable .. Is there more reliable way to do it

suresh 2009-10-08 12:52:45

No... and to do it the way the article suggests you have to know a lot about executable format and what happens at a low level when you run a program. I would not recommend that method.

jnylen 2009-10-13 20:28:02

To avoid being prompted for a password or using a plain text password in places where it could be "sniffed" from, you should almost certainly set up public-key authentication (assuming you're bound to plink...).

Using pipes is also a good solution.

Michael Foukarakis 2009-10-08 12:59:17

+6 A:

Set up your SSH server to use RSA public/private key authentication instead of passwords. This is usually a better choice anyway for SSH in general. See http://www.google.com/search?q=set+up+ssh+rsa.

jnylen 2009-10-08 13:00:46

I found a plink wrapper for unison that does what you need, mainly waiting for a password prompt on plink's STDOUT, then feeding it a response on STDIN.

Hope this works for you

Hasturkun 2009-10-08 13:03:05

ansaurus

tags:

views:

answers:

Running a executable in another process without creating a new process

related questions