| Solaris |
|
|
Reusable Passwords In Command Line Arguments and Environment Variables
Reusable Passwords In Command Line Arguments and Environment Variables
Copyright 1991-2007, Sun Microsystems, Inc
Policy Synopsis
Reusable passwords are not permitted to be passed to programs using either environment variables or command line arguments.
Contents
- Applicability
- Audience
- Background
- Policy
- Advice
- Implementation
- Conformance
- Exemptions
- References
- InitialCosts
- OngoingCosts
Overview
| Owner | Security-SWG |
|---|---|
| Sponsor | thomas.tahan |
| Author | glenn.brunette |
| Changes | sec-swg |
| Authority | SAC |
| Policy Version | 1.0 |
| Status | Proposed 2003/06/19 |
| Effective | All projects exiting PLC Phase 3 on or after 2003/07/01 |
Applicability
All programs that require or accept, as a command line argument, a password, passphrase or other string used to authenticate a principal or authorize an action.
This policy applies to all such programs delivered by Sun, for which Sun controls the interface.
Audience
ARCs, Project Teams
Background
Policy
- Applies to This policy must be implemented in all major releases of Sun software products, and should be incorporated in minor releases when possible.
- Authority SAC
- Effective All projects exiting PLC Phase 3 on or after 2003/07/01
- Policy
Reusable passwords are not permitted to be passed to programs using either environment variables or command line arguments. - Details
If a program needing a password is running in the presence of a user, it must obtain the password either directly from user input or indirectly from the user's security credentials. In cases where no user is present and no credentials mechanism is available, it is acceptable to place the password in a file which is read by the program needing the password. Access to such files must be restricted by standard file access controls.Note that the security credentials described above are not specific to any one authentication mechanism. The credentials used will be specific to the entity being accessed using the command line interface.
Advice
The use of reusable passwords either as a command line argument to a program or passed as an environment variable to a program creates several major security risks, such as:
- Any Solaris OE user can observe other user's active command lines with the "ps -ef" command.
- Any Solaris OE user can observe a complete list of another user's environment variables using the Berkeley version of the "ps" command (using the "-aeww" argument).
- Command lines may be recorded in shell history files which may have open access permissions.
By supplying the reusable password in a file (protected by appropriate access permissions), the password can be protected from non-privileged users. Privileged users (root) on the local machine can still access the password, but the protection from non-privileged users is a significant improvement.
This policy does not specifically address the security issues related to protecting files containing reusable passwords when stored on backup media. While topics related to storage and handling are outside of the scope of this policy, it is encouraged that these issues be described in the product documentation so that the customer is aware of these risks and can therefore take appropriate action (e.g., the use of encrypted backups, special handing procedures, etc.)
Although not appropriate in all instances, programs accessing password, authentication or other security relevant information should consider first verifying that the file has ownership, group membership and permissions that are set to be within some predefined tolerance.
Implementation
This rule is to be applied by all Architecture Committees.
Conformance
The project materials submitted for ARC approval must follow this policy. ARC approval will not be granted otherwise.
Exemptions
The only time the use of reusable passwords on command lines is allowed in Sun products is for either backward compatibility with previous minor releases of the same product or to comply with an external standard interface.
In those cases of relating to standards compliance, the existing mechanism must be updated to comply with this policy.
Note that exceptions to the compatibility requirements are often granted to address security holes so it is often possible and advisable to remove these in a minor release. This is particularly true if the expected use is in development, rather than deployment environments. At the recent Customer Advisory Council meeting that focused on security, customers indicated they would be willing to break backward compatibility if there were a solid security reason behind it.
References
The following definitions apply to this policy statement.
- Reusable Password. A password string that can be used successfully more than once. This differs from one time passwords, such as those generated by S/Key or OPIE in that they can be used successfully only once.
- Principal. A unique entity. For example, a principal can be a user or a service.
InitialCosts
Minor. Required to remove the use of reusable passwords from command line programs (per project).
OngoingCosts
None
Terms of Use
|
Privacy
|
Trademarks
|
Copyright Policy
|
Site Guidelines
|
Site Map
|
Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.
© 2012, Oracle Corporation and/or its affiliates.