It's also visible in the process table (ps auxww). It can be erased by rewriting the arguments from inside the process (I think this is OS-specific, not the same as changing argv in-place), but that is a race condition.

The safe way is to either read it from stdin/fd (maybe call isatty(3) to check if someone doesn't echo password | ./foo), or open a file (check if permissions are 600). You could also have a named socket (check permissions!) talking to an authn agent, which could be doing some other fancy stuff like pinging your smartwatch to confirm, etc.

another option is in an env variable (from an encrypted file).

    gpg -d ~/secrets/nuclear_launch_codes.gpg
    source ~/secrets/nuclear_launch_codes

where the gpg key has a password and is stored on a hardware dongle that doesn't allow copying the private key off. If you really want to be fancy, there are some hardware security keys that also require a biometric to confirm.

The other option is something like Hasicorp Vault, but we're way out of "one line bash" territory :p

can't you do `cat /proc/$PID/environ`?

It's chmod 400'd and owned by process owner.

> It can be erased by rewriting the arguments from inside the process

Please nobody rely on this behavior. :O