安全问题:NodeJS 生成是否在任何地方记录?

Security question: Are NodeJS spawns logged anywhere?

如果您在终端中 运行 命令,请说

rsync -avuP [SourcPath] [DestPath]

该命令将被登录,例如 .bash_history、.zsh_history、.bash_sessions 等

因此,如果您使用像 sshpass

这样出了名的不安全的东西

sshpass -P password -p MySecetPassword [Some command requiring std input],那也将被记录。

但是当您使用 Node JS 生成进程时执行等效操作会发生什么?

passw = functionThatRetrievesPasswordSecurely();
terminalCmd = "sshpass";
terminalArgs = ["-P, "password", "-p", passw, "command", "requiring", "a", "password", "entry"];
spawn = require("child_process").spawn(terminalCmd, terminalArgs);
spawn.stdout.on("data", data => {console.log("stdout, no details"});
spawn.stderr.on("data", data => {console.log("stderr, no details"});
spawn.on("close", data => {console.log("Process complete, no details"});

是否在任何地方记录了 terminalCmd 或 terminalArgs?

如果有,在哪里?

如果不是,这是使用 opf sshpass 的安全方法吗?

没有用于 exec 的节点特定历史文件,除非您通过记录参数创建了一个。可以有较低级别的 OS 日志记录来捕获此类数据,例如审计日志。

在命令行上传递密码仍然被认为是最不安全的方式。 尝试 -f 传递文件或 -d 传递文件描述符(或者 ssh 密钥应始终是第一个调用端口)

man page 说明...

The -p option should be considered the least secure of all of sshpass's options. All system users can see the password in the command line with a simple "ps" command. Sshpass makes a minimal attempt to hide the password, but such attempts are doomed to create race conditions without actually solving the problem. Users of sshpass are encouraged to use one of the other password passing techniques, which are all more secure.

In particular, people writing programs that are meant to communicate the password programatically are encouraged to use an anonymous pipe and pass the pipe's reading end to sshpass using the -d option.