ADSM-L

Re: Clear text passwords. Was: Automating dsmserv

2003-05-28 06:15:29
Subject: Re: Clear text passwords. Was: Automating dsmserv
From: "Marcel J.E. Mol" <marcel AT MESA DOT NL>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Wed, 28 May 2003 12:15:05 +0200
Indeed, ps does not show the command line args of the dsmadmc process.
(I did not check it before posting...). So the TSM developpers did a better
job that de oracle guys; given userid/passwd as argument to sqlplus does
not hide it in the ps output (just checked this...)

However, the way this works is that dsmadmc just 'clears' the arguments
passed to it. This means there is a small race condition. If you are quick
enough you can see the passwords. Using the following script:

    #!/bin/ksh
    while true; do
        ps -ef | grep  dsmadmc | grep -v grep
    done

Lets name this greptsm and running this in the background

    # ./greptsm > /tmp/greptsm.log &

and running some dsmadmc commands from the commandline
(I created a test user with passowrd test) quickly shows
some useful info:

    root 21050 21448   3 12:04:13  pts/0  0:00 dsmadmc
    root 21050 21448   0 12:04:13  pts/0  0:00 [dsmadmc]
    root 15500 21448   0 12:04:14  pts/0  0:00 [dsmadmc]
    root 28996 21448   1 12:04:15  pts/0  0:00 dsmadmc -id=test -pa=test q act  
begint=-00:01
    root 28996 21448   4 12:04:15  pts/0  0:00 dsmadmc
    root 28996 21448   4 12:04:15  pts/0  0:00 dsmadmc
    root 28996 21448   4 12:04:15  pts/0  0:00 dsmadmc
    root 28996 21448   5 12:04:15  pts/0  0:00 dsmadmc


So your'e save most of the times, but if you have some time to kill
it can easily be done... (this was tested on a AIX 5.1 system)

-Marcel

On Tue, May 27, 2003 at 02:58:45PM -0700, Alex Paschal wrote:
> Actually, it doesn't show on AIX 5.2 or AIX 4.3.3.  I can't speak for any
> other OS's or client levels.
>
> Alex Paschal
> Freightliner, LLC
> (503) 745-6850 phone/vmail
>
> alex /home/alex $ dsmadmc -id=myid -pa=mypass
> Tivoli Storage Manager
> Command Line Administrative Interface - Version 5, Release 1, Level 5.2
> (C) Copyright IBM Corporation 1990, 2002 All Rights Reserved.
>
> Session established with server CORPTSM: AIX-RS/6000
>   Server Version 5, Release 1, Level 5.4
>   Server date/time: 05/27/03   14:52:24  Last access: 05/27/03   14:48:43
>
>
> tsm: CORPTSM>[1] + Stopped (SIGTSTP)        dsmadmc -id=reports -pa=reports
> alex /home/alex $ ps -ef | grep dsm
>     alex 24742 20888   0 14:54:06  pts/6  0:00 dsmadmc
>     alex 33486 20888   2 14:54:10  pts/6  0:00 grep dsm
> alex /home/alex $ fg
> dsmadmc -id=reports -pa=reports
> quit
>
> ANS8002I Highest return code was 0.
>
> alex /home/alex $ r ps
> ps -ef | grep dsm
>     alex 33488 20888   2 14:54:19  pts/6  0:00 grep dsm
> alex /home/alex $
>
> -----Original Message-----
> From: Marcel J.E. Mol [mailto:marcel AT MESA DOT NL]
> Sent: Tuesday, May 27, 2003 1:42 PM
> To: ADSM-L AT VM.MARIST DOT EDU
> Subject: Re: Clear text passwords. Was: Automating dsmserv
>
>
> On Tue, May 27, 2003 at 04:06:32PM -0400, Stephen E. Bacher wrote:
> > Justin Bleistein <justin.bleistein AT sungard DOT com> wrote:
> >
> > >any alternatives to running: "dsmserv" via batch mode with the:
> > >
> > >dsmadmc -id=login -pass=password syntax...
> > >
> > >I mean it's passwords in clear text so all someone has to do is cat that
> > >file and your exposed... Any ideas on how to automate the client-server
> > >interface (dsmadmc) without displaying the password anywhere?. Thanks!.
> >
> > A slight improvement on security would be something like:
> >
> >  dsmadmc -id=login -pass=`cat /private/tsm/password.txt`
>
> As a normal user on this system do "ps -ef | grep dsm" and you'll
> see the result of `cat /private/tsm/password.txt` ...
>
> -Marcel
> --
>      ======--------         Marcel J.E. Mol                MESA Consulting
> B.V.
>     =======---------        ph. +31-(0)6-54724868          P.O. Box 112
>     =======---------        marcel AT mesa DOT nl                 2630 AC  
> Nootdorp
> __==== www.mesa.nl ---____U_n_i_x______I_n_t_e_r_n_e_t____ The Netherlands
> ____
>  They couldn't think of a number,           Linux user 1148  --
> counter.li.org
>     so they gave me a name!  -- Rupert Hine  --  www.ruperthine.com

--
     ======--------         Marcel J.E. Mol                MESA Consulting B.V.
    =======---------        ph. +31-(0)6-54724868          P.O. Box 112
    =======---------        marcel AT mesa DOT nl                 2630 AC  
Nootdorp
__==== www.mesa.nl ---____U_n_i_x______I_n_t_e_r_n_e_t____ The Netherlands ____
 They couldn't think of a number,           Linux user 1148  --  counter.li.org
    so they gave me a name!  -- Rupert Hine  --  www.ruperthine.com