I want to hide system commands issued from system()

tags:

c++
system

views:

545

answers:

+3 Q:

I want to hide system commands issued from system()

Writing a program in c++ and I want to issue a system command from the system() function but I don't want the user to see the command (because the command includes a pwd) in the executable window. I need to copy a file from the user's directory onto the server without allowing user access to the server or displaying the pwd. Figured having a .exe that does this is the easiest way.

Ex:

system("FILETRANSFER_SW.exe -pw helloWORLD11!@ C:/temp.txt F:/tempfolder/")

But the executable window is showing this command, hence defeating the purpose of trying to hide the password.

I tried issuing system("@echo OFF") at the beginning of the program but that does not suppress the following commands, they still show up in the executable window.

Any suggestions?

Thanks...

+7 A:

The command line of running processes is considered public information in most operating systems.

Therefore it is a very bad idea to pass passwords on the command line.

There are two common workarounds to this problem, both of which require the support of the executable being called:

instead of passing the username/password on the command line, pass the name of a file containing the username/password
re-set the command line of the running process from within the called executable.

The first solution is easy and universally possible, the second one has a race condition and is harder to implement, because there's no cross-platform way to do it (on some OSes, changing argv will help).

Joachim Sauer 2009-02-25 15:01:52

Hmmmm....but is it possiblt to pass the name of file within the sytem command in order to implment my solution? This also requires placing the password in a file that could be accessible.I'll give it a try tho

2009-02-25 15:10:13

The file can be permissioned so that your job can see it but other users can't.

chaos 2009-02-25 15:12:38

I've used this technique on Unix, but not on Windows. I also usually add code in my app to check perms on the file containing the password. If permissions are not strict enough, I don't use the file, in an attempt to minimize tampering.

Craig S 2009-02-25 15:15:03

Perhaps the file could actually be a named pipe.

bk1e 2009-02-25 15:24:52

+2 A:

I'm assuming from your command line that you're using Windows. If it doesn't need to be portable I would suggest you use the CreateProcess() API instead of calling system().

The CreateProcess() API can take a command-line and you can set up the STARTUP_INFORMATION parameter to hide the new process window (wShowWindow = SW_HIDE).

The command line will be hidden from the casual user, but as others have pointed out, it's not that hard to retrieve. Since you are creating a new process, I would suggest writing the sensitive data to that process' standard input. That way the process can just read it and proceed normally.

Ferruccio 2009-02-25 15:08:13

Using CreateProcess() API will hide the sensitive data from a user, but a power user can easily get the command line associated with the process using a free utilty, e.g. Process Explorer

Yarik 2009-02-25 15:11:46

Another solution is to send the password between your programs, encrypted with something like 3DES, or AES.

You could use a pipe to comunicate between both programs, and don't use the command line at all.

But any of this schemes is not really secure they can be circumvent rather easily. If you want more security you should use some kind of challenge-response protocol with the server.

Ismael 2009-02-25 23:59:52

ansaurus

tags:

views:

answers:

I want to hide system commands issued from system()

related questions