develooper Front page | perl.perl5.porters | Postings from November 1999

Re: getspnam-support

Thread Previous | Thread Next
Dan Sugalski
November 29, 1999 05:47
Re: getspnam-support
Message ID:
At 02:19 PM 11/29/99 +0100, Matthias Urlichs wrote:
>Dan Sugalski:
>> >Returning the shadow data just because you're running as root is a
>> >security hole.
>> If you're running as root there are no security holes since there is no
>> security. You can already do anything you want, so why quibble over this?
>Consider a setuid-root program which doesn't need the actual password,
>but which calls getpw*() for other reasons.
>Conceivably, that program could be induced to leak the password.

Sorry, don't buy it. That'd require some odd tricks to get the password, as
the program'd have to explicitly ask for it anyway, and why ask if it's not
necessary? Either the program needs the password and therefore the
discussion is moot, or it doesn't and has thus been crocked somehow anyway.

Plus anything running as root had darned well better be beyond
extra-careful in the first place, so presumably the vigilant programmer
would have checked for something like this in the first place.


----------------------------------------"it's like this"-------------------
Dan Sugalski                            even samurai                           have teddy bears and even
                                        teddy bears get drunk

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About