Hiding command-line arguments to a Perl script

Question

Let's say I have written a Perl script called "foo.pl" that takes in a password argument via the -p switch.

However, while it is running, anyone can do a ps and see the entire command-line string, including the password:

$ ps a |grep 'foo\.pl'
32310 pts/4    S+     0:00 /usr/bin/perl -w ./foo.pl -p password
32313 pts/5    S+     0:00 grep foo.pl

What is the easiest/simplest way to hide the password and replace it with something like xxxxxx?

Answer 1

Ask for the password from inside the script, so you don't have to pass it as an argument.

---

Update

Apparently this work for me, simulating a mysql behaviour:

#!/usr/bin/perl
($0 = "$0 @ARGV") =~ s/--password=\K\S+/x/;
<STDIN>;

$ ./s --user=me --password=secret
^Z
$ ps
  PID TTY           TIME CMD
 1637 ttys000    0:00.12 -bash
 2013 ttys000    0:00.00 ./s --user=me --password=x

Under MacOS 10.6

Answer 2

Passing passwords on the command line is not really a good idea, as already mentioned.

But: you can usually (it is OS-dependent) change the name that is shown by ps by assigning to $0.

e.g. (tested on Linux)

$ cat secret.pl
#!/usr/bin/perl

$0 = "my secret perl script";
sleep 15;

$ ./secret.pl -p foobar &
[2] 426
$ ps a | grep perl
  426 pts/0    S      0:00 my secret perl script
  428 pts/0    S+     0:00 grep perl

See the section on $0 in the perlvar manpage for details.

Answer 3

There are a couple of ways to go. The most immediate is to (like sidyll says) prompt for the password in the actual script. Don't put in on the command line, and you won't have to hide it.

Another option is a private password file. This file can be read through shell interpolation, but it's still kind of a kludge.

You could add a bit more flexibility to the private password file by wrapping your script in a "launcher" script. Essentially, you write a script whose sole purpose is to "set up" the password file, and then launch your real script.