[FFmpeg-user] Parse environment variables in command line

Phil Turmel philip at turmel.org
Mon Apr 20 07:17:05 CEST 2015


On 04/19/2015 10:59 PM, Илья Мельников wrote:
> Hello.
> 
> В сообщении от Sunday 19 April 2015 05:03:41 Denis Mysenko duster at mail.ru:
>> If you use environment variable (like you proposed) or any shell/UNIX 'hack
>> (eg. -i `cat url.txt`), at the moment of execution a plain-text password
>> will be inserted anyway. And 'ps' will show what really was launched,
>> not the string before parsing.
> 
> So I suggest exactly not to show plain-text passwords in command line.
> Not to use variable on command line.
> Not to use hack -i `cat url.txt`.
> But give to ffmpeg variable name, and ffmpeg will parse variable themselves.
> 
> 
> Variant 1. Password on command line.
> Running:
> $ export PASS=secret
> $ ffmpeg rtsp://admin:$PASS@192.168.0.100/stream1.sdp
> will lead to:
> $ ps -f -C ffmpeg
> UID        PID  PPID  C STIME TTY          TIME CMD
> user    1506  1423 88 07:47 pts/11   00:00:08 ffmpeg 
> rtsp://admin:secret@192.168.0.100/stream1.sdp
> 
> 
> Variant 2. Variable name on command line (name, but not contents).
> Running:
> $ export PASS=secret
> $ ffmpeg 'rtsp://admin:$PASS@192.168.0.100/stream1.sdp'
> will lead to:
> $ ps -f -C ffmpeg
> UID        PID  PPID  C STIME TTY          TIME CMD
> user    1506  1423 88 07:47 pts/11   00:00:08 ffmpeg rtsp://admin:
> $PASS at 192.168.0.100/stream1.sdp
> 
> In the second variant ffmpeg parameters are quoted and will not be parsed by 
> bash.
> In the second variant "ps" will not see password.
> But in the second variant ffmpeg must parse variables at run time.

ps gets its information from the files in /proc/ where you can find a
variety of information on running processes.  Among them is each
processes' 'environ' file, containing its environment.  So the
'security' you are asking for is no new security at all.

Processes that need to truly keep such data away from process monitors
need to use a file with 0600 mode that contains the secrets.  A request
for support for that would actually make sense.

Phil



More information about the ffmpeg-user mailing list