Using Passwords in CLI commands

igal_tovievich
New Contributor II

Hey folks,

This is relatively simple, but I haven't found a place giving a straight answer about it -
Will writing passwords or other information inside CLI commands executed by policies be viewable in any log, text file, or any other output (including terminal)?
This is regarding the user's side of things. If it appears in Jamf that's all good.

1 ACCEPTED SOLUTION

boberito
Valued Contributor

When jamf runs a script it's wrote to /Library/Application Support/JAMF/tmp/ while it's running. So the password is written to disk at that point. However, once the script completes that file is deleted. That directory is locked down to root only.

Logging might depend on the command, there's no command I can think of that writes the password but things have happened....back in the day there was this issue Uh Oh! Unified Logs in High Sierra (10.13) Show Plaintext Password for APFS Encrypted External Volum...

If you pass the password as a variable in the policy/script it will show up if you run the following while the policy runs.

ps aux | grep jamf

If for some crazy reason you aren't using SSL for jamf(not sure if that's even possible), it would get transmitted over plain text and could be seen in a packet capture.

View solution in original post

1 REPLY 1

boberito
Valued Contributor

When jamf runs a script it's wrote to /Library/Application Support/JAMF/tmp/ while it's running. So the password is written to disk at that point. However, once the script completes that file is deleted. That directory is locked down to root only.

Logging might depend on the command, there's no command I can think of that writes the password but things have happened....back in the day there was this issue Uh Oh! Unified Logs in High Sierra (10.13) Show Plaintext Password for APFS Encrypted External Volum...

If you pass the password as a variable in the policy/script it will show up if you run the following while the policy runs.

ps aux | grep jamf

If for some crazy reason you aren't using SSL for jamf(not sure if that's even possible), it would get transmitted over plain text and could be seen in a packet capture.

View solution in original post