modified | Sunday 2 February 2025 |
---|---|
title | Keeping curl cookies a secret |
Passing cookies to curl
without allowing other users on your system to see them via the process list:
1echo "--cookie sessionid=012345679abcdefghijklmnopqrstuvwxyz" | curl --config -
This works because echo
is generally a built-in of your shell:
1# Using bash
2$ type echo
3echo is a builtin
4
5# Using sh
6$ type echo
7echo is a shell builtin
8
9# Using fish
10$ type echo
11echo is a builtin
The correctness can be verified by first displaying all processes as they get created:
1# Run this in a second terminal as root
2$ forkstat | grep 'cookie\|curl'
If you now run the original snippet you’ll see curl
show up but not your cookie. If you replace echo
(the builtin) with /usr/bin/echo
(a separate program) your cookie will show up. That’s why you need to be careful with that you put on the command line.