| date | 2025-01-01 |
|---|---|
| modified | Sunday 16 February 2025 |
| title | Keeping curl cookies a secret |
Passing cookies to curl without allowing other users on your system to see them via the process list:
1echo "--cookie sessionid=012345679abcdefghijklmnopqrstuvwxyz" | curl --config - https://domain.example/
This works because echo is generally a built-in of your shell. This means that when you echo data you’re not creating an additional process that can be seen in the process list.
1# Using bash
2$ type echo
3echo is a builtin
4
5# Using sh
6$ type echo
7echo is a shell builtin
8
9# Using fish
10$ type echo
11echo is a builtin
The correctness can be verified by first displaying all relevant processes as they get created:
1# Run this in a second terminal as root
2$ forkstat | grep 'cookie\|curl'
If you now run the original snippet you’ll see curl show up but not your cookie. If you replace echo (the builtin) with /usr/bin/echo (a separate program) your cookie will show up. The process list is visible for all users, that’s why you need to be careful not to put passwords as command line arguments.
You can also use your shell’s process substitution to get the same effect.
One advantage is that they behave more like a regular file so they also work with processes that can’t read from stdin.
A downside is that the syntax is less common making it harder to understand. Another possible downside is these ‘files’ do not support seeking, at least not when you’re using Bash. If the application wants to read the data multiple times then they can malfunction.
1# Bash
2curl --config <(echo "--cookie sessionid=012345679abcdefghijklmnopqrstuvwxyz") https://domain.example/
3# Bash sets up a file descriptor for process substition. These can only be read
4# once by the application. The process list will show:
5# curl --config /dev/fd/63 https://domain.example/
6
7
8# Fish
9curl --config (echo "--cookie sessionid=012345679abcdefghijklmnopqrstuvwxyz" | psub) https://domain.example/
10# Fish sets up a temporary file for process substitution. This is a regular file
11# and can be read multiple times by the application. The process list will show:
12# curl --config /tmp/.psub.YLvoJaH2ep https://domain.example/