[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] How to access Gnome-mounted servers?



On 4/4/07, Peter Scheie <peter scheie homedns org> wrote:
Is passing it as a parameter really less secure than having afp_client
prompt for the password?  Where is the vulnerability?  In our case we
have a script that the users call that pops up a GUI prompt for the PW
and then the script passes the PW as a parameter.  From a security
standpoint, is this really any different than letting afp_client prompt
for the PW?

Yes, putting it on the command line is less secure, it makes it pretty
easy to grab.  Someone could just get it from the process table, which
isn't protected from other users.

There are other vulnerabilities in that afpfsd retains the raw
password, but that password is only available to that specific user.
I'll fix this in a later release, it's not that hard.

- Alex


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]