Re: static gchar security
- From: Filip Van Raemdonck <mechanix debian org>
- To: gtk-app-devel-list <gtk-app-devel-list gnome org>
- Subject: Re: static gchar security
- Date: Fri, 8 Nov 2002 09:05:08 +0100
On Tue, Nov 05, 2002 at 01:52:41PM -0500, John Palmieri wrote:
On Tue, 2002-11-05 at 09:55, Jason A. Pfeil wrote:
Any root-level program could pick up that
password very easily just by examining /dev/kmem.
But isn't this the same issue as storing passwords in plain text for
programs like gaim?
So who says that's ok?
If somone could get a root level
program to sniff passwords they could just as easly get one in to record
keystrokes. On any multi user system you have to trust the admins.
Obviously. But when something crashes and the pw is still in memory,
chances are that it gets stored somewhere where a even a trustworthy
admin can read it by accident (and hopefully only an admin).
Also, keeping a cache on
disk instead of in memory would eliminate the potential for someone
taking a snapshot of /dev/kmem and accidently give away your password to
an untrusted recipient.
So now you're telling it's safer to keep the pw in persistent storage
rather than volatile storage?
Trusting root or not isn't the only consideration here, unfortunately it
appears that people are using exactly that as an excuse to go for weaker
security.
Regards,
Filip
--
<broonie> Why do all the idiots on debian-user insist on trying sendmail.
<Myth> because sendmail is "industry standard"
<broonie> Mind you, I suppose the industry standard is to be a fscking moron.
<Thing> broonie: tell them to fuck off and use M$ Exchange -- that's that
market leader, surely?
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]