From 2af732f364e4734a5a5fd432c77a374e84e5d76c Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 14 Mar 2019 11:49:35 +0100
Subject: curl.1: --user and --proxy-user are hidden from ps output

Suggested-by: Eric Curtin
Improved-by: Dan Fandrich
Ref: #3680

Closes #3683
---
 docs/cmdline-opts/proxy-user.d | 6 ++++++
 docs/cmdline-opts/user.d       | 6 ++++++
 2 files changed, 12 insertions(+)

(limited to 'docs')

diff --git a/docs/cmdline-opts/proxy-user.d b/docs/cmdline-opts/proxy-user.d
index b1f6f6e03..152466daa 100644
--- a/docs/cmdline-opts/proxy-user.d
+++ b/docs/cmdline-opts/proxy-user.d
@@ -9,4 +9,10 @@ If you use a Windows SSPI-enabled curl binary and do either Negotiate or NTLM
 authentication then you can tell curl to select the user name and password
 from your environment by specifying a single colon with this option: "-U :".
 
+On systems where it works, curl will hide the given option argument from
+process listings. This is not enough to protect credentials from possibly
+getting seen by other users on the same system as they will still be visible
+for a brief moment before cleared. Such sensitive data should be retrieved
+from a file instead or similar and never used in clear text in a command line.
+
 If this option is used several times, the last one will be used.
diff --git a/docs/cmdline-opts/user.d b/docs/cmdline-opts/user.d
index 439def348..7001d28ab 100644
--- a/docs/cmdline-opts/user.d
+++ b/docs/cmdline-opts/user.d
@@ -12,6 +12,12 @@ The user name and passwords are split up on the first colon, which makes it
 impossible to use a colon in the user name with this option. The password can,
 still.
 
+On systems where it works, curl will hide the given option argument from
+process listings. This is not enough to protect credentials from possibly
+getting seen by other users on the same system as they will still be visible
+for a brief moment before cleared. Such sensitive data should be retrieved
+from a file instead or similar and never used in clear text in a command line.
+
 When using Kerberos V5 with a Windows based server you should include the
 Windows domain name in the user name, in order for the server to successfully
 obtain a Kerberos Ticket. If you don't then the initial authentication
-- 
cgit v1.2.1