On Wed, 4 Jul 2007, Jim Freeman wrote: > On Wed, Jul 04, 2007 at 05:39:25PM +0200, Cristian Ionescu-Idbohrn wrote: > > On Tue, 3 Jul 2007, Jim Freeman wrote: > > > > > # passwd -p **** blip > > > > Isn't this the well known insecure method that shouldn't be used > > because (with the right timing) anyone can snap the password with ps > > or 'cat /proc/<pid>/cmdline'? > ... > > As I acknowledged in parts you trimmed, yes (if "anyone" is taken > to mean "someone with shell access").
Yes. Should I appologise for trimming? > But in many embedded cases, there is no shell access (ergo, the > cgi remote admin mentioned in the original mail). Of course. > In such cases "anyone" == "noone", and "shouldn't be used" becomes > "might be used", and this particular point is then mooted. Yes. Still. Any such -p "option" should be marked as "risky" and appear just as an option (i.e. default disabled). -- Cristian _______________________________________________ busybox mailing list [email protected] http://busybox.net/cgi-bin/mailman/listinfo/busybox
