Re: getspnam-support

>A program can be written to be run by a regular user, and yet
>be run (on occassion) by root.  If the actual password was provided
>only for an explicit getspw* call and '*' password was provided for
>a getpw* call, programs would have to deliverately choose to have
>security-critical information lying around in their memory --
>obscure attacks would be not possible on programs that never got
>the info in the first place.  Programs that need the password must
>be designed with security in mind, but programs that don't need
>shouldn't be held to the same standard.

If you can attack the memory of a setuid program, then all bets
are off, and nothing else matters.

--tom

• getspnam-support by Jochen Wiedmann
• Re: getspnam-support by John Macdonald
• Re: getspnam-support by Tom Christiansen
• Re: getspnam-support by Matthias Urlichs
• Re: getspnam-support by Tom Christiansen
• Re: getspnam-support by John Macdonald
• Re: getspnam-support by Tom Phoenix
• Re: getspnam-support by Tom Christiansen
• Re: getspnam-support by Tom Christiansen
• Re: getspnam-support by John Macdonald
• Re: getspnam-support by John Macdonald
• Re: getspnam-support by Matthias Urlichs
• Re: getspnam-support by Tom Christiansen
• Re: getspnam-support by Dan Sugalski
• Re: getspnam-support by Matthias Urlichs
• Re: getspnam-support by Dan Sugalski
• Re: getspnam-support by Jochen Wiedmann
• Re: getspnam-support by Gurusamy Sarathy
• Re: getspnam-support by Jochen Wiedmann