password visible to other users via process info

Graphical wireless scanning for Linux

Brought to you by: wseverin

password visible to other users via process info

Forum: Bug Reporting

Creator: Bjørn Forsman

Created: 2016-07-05

Updated: 2016-09-14

Bjørn Forsman - 2016-07-05

Hi linssid developers!

Do you know that the password that is input in the small dialog on startup is visible to other users on the system via basic process information?

$ while true; do ps -ef | grep [l]inssid; sleep 0.1; done # or a system tracer like sysdig
sh -c echo "-=-=-=-=-=-Begin block 1\n" >> /tmp/linssid_pkDHTxmMR1 && echo 'MY_PASSWORD' | sudo -kS -p "" /sbin/iwlist wlp3s0 scan >> /tmp/linssid_pkDHTxmMR1

This happens not only on startup, but on every poll as long as the program is active (due to the password being used to run iwlist).

I guess linssid is something one typically run on single-user machines, but still :-)

Anyway, thanks for this otherwise very useful tool.

Best regards,
Bjørn Forsman

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

wseverin - 2016-09-14

This is true. LinSSID was designed to alternatively be launched with sudo or gksudo, in which case the whole process and child precesses run with root privilege. LinSSID senses that it has been launched with root access and then does not ask for or temporarily store a password. If concerned about security, just start LinSSID with sudo or gksudo.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.