9

When user specify a password in MySQL cli, aka -pXXXXXX, the password parameter is replaced to -p****** in argv array.

So when someone check the process list with ps, they can't see the password.

How can I do the same in Python? This doesn't work obviously

for arg in sys.argv[1:]:
    arg = ""
daisy
  • 22,498
  • 29
  • 129
  • 265
  • 3
    Have you tried `sys.argv = []`. Also `del sys.argv[1]` (or whatever the index of the argument should be), which might just delete the one item? – martineau Jan 16 '17 at 02:35
  • @martineau It's more like to override the memory that argv points to – daisy Jan 16 '17 at 04:44

3 Answers3

6

sys.argv = [sys.argv[0]]

works and is more efficient and elegant than deleting all but the first element. I can't confirm this would overwrite or erase previous value of sys.argv in memory though.

James T.
  • 910
  • 1
  • 11
  • 24
  • @lilydjwg What version of python are you using? Should be fine in 2.7 or 3.6. I tested in each and it worked. https://gist.github.com/jtara1/900a580b362ea1c8b3b7019695e04519 – James T. Aug 12 '20 at 23:50
  • It doesn't change what you see from outside in top / ps / etc. If you pass a password in an argument, it will be visible to other users on the same system (as long as they can see your process). – lilydjwg Aug 13 '20 at 10:54
0

You can make a wrapper that accepts a password and other arguments. It will then spawn a child, pass it the password in the way that's not visible in command line, eg. with multiprocessing, and kill itself. For killing processes while keeping their children alive look here.

Community
  • 1
  • 1
Synedraacus
  • 975
  • 1
  • 8
  • 21
0

I didn't find a way so I turn to environment variables for tokens (and unset it once acquired to prevent leaking to child processes).

lilydjwg
  • 1,621
  • 20
  • 41