Front page | perl.perl5.porters |
Postings from November 1999
Re: getspnam-support
Thread Previous
|
Thread Next
From:
Dan Sugalski
Date:
November 29, 1999 05:47
Subject:
Re: getspnam-support
Message ID:
3.0.6.32.19991129084906.00bca790@tuatha.sidhe.org
At 02:19 PM 11/29/99 +0100, Matthias Urlichs wrote:
>Hi,
>
>Dan Sugalski:
>> >Returning the shadow data just because you're running as root is a
possible
>> >security hole.
>>
>> If you're running as root there are no security holes since there is no
>> security. You can already do anything you want, so why quibble over this?
>
>Consider a setuid-root program which doesn't need the actual password,
>but which calls getpw*() for other reasons.
>
>Conceivably, that program could be induced to leak the password.
Sorry, don't buy it. That'd require some odd tricks to get the password, as
the program'd have to explicitly ask for it anyway, and why ask if it's not
necessary? Either the program needs the password and therefore the
discussion is moot, or it doesn't and has thus been crocked somehow anyway.
Plus anything running as root had darned well better be beyond
extra-careful in the first place, so presumably the vigilant programmer
would have checked for something like this in the first place.
Dan
----------------------------------------"it's like this"-------------------
Dan Sugalski even samurai
dan@sidhe.org have teddy bears and even
teddy bears get drunk
Thread Previous
|
Thread Next