Some tools require to specify a password on the command line e.g. recs-fromdb. This is in a production environment a security risk, as other users can simply do a ps -ef to see the password. By default all tools should hide passwords from the command line. In Perl this is simple as all what is required is to overwrite $0. While processing the command line options replace the password or any other security relevant option with the string "".
This is not 100% save as there is still a very brief moment during the program start while the command line is not yet overwritten and hence the password can still be seen. Ideally the password should be read from a configurable environment variable. However even that is not 100% save as root can list the environment of a running process.
The best way would be to stick the password into a file and read it from there or to read all command line arguments from a file.
Some tools require to specify a password on the command line e.g. recs-fromdb. This is in a production environment a security risk, as other users can simply do a ps -ef to see the password. By default all tools should hide passwords from the command line. In Perl this is simple as all what is required is to overwrite $0. While processing the command line options replace the password or any other security relevant option with the string "".
This is not 100% save as there is still a very brief moment during the program start while the command line is not yet overwritten and hence the password can still be seen. Ideally the password should be read from a configurable environment variable. However even that is not 100% save as root can list the environment of a running process.
The best way would be to stick the password into a file and read it from there or to read all command line arguments from a file.