develooper Front page | perl.perl5.porters | Postings from December 1999

Re: getspnam-support

Thread Previous | Thread Next
Tom Christiansen
December 3, 1999 19:41
Re: getspnam-support
Message ID:
>A program can be written to be run by a regular user, and yet
>be run (on occassion) by root.  If the actual password was provided
>only for an explicit getspw* call and '*' password was provided for
>a getpw* call, programs would have to deliverately choose to have
>security-critical information lying around in their memory --
>obscure attacks would be not possible on programs that never got
>the info in the first place.  Programs that need the password must
>be designed with security in mind, but programs that don't need
>shouldn't be held to the same standard.

If you can attack the memory of a setuid program, then all bets
are off, and nothing else matters.


Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About