Package: tgt Version: 1:1.0.51-1 Severity: normal Tags: upstream Dear Maintainer,
The "tgtadm" requires that a password, if set, be provided on the command line such as: tgtadm --lld iscsi --op new --mode account --user ronnie --password password Command line paramaters are not normally secure. They can be seen by any other user on the system using ps. This could result in an unintended user gaining access to the iSCSI device. The password should be read from a file instead. E.g. tgtadm --lld iscsi --op new --mode account --user ronnie --passwordfile ~/password Passwords that are stored in /etc/tgt are read by tgt-admin but still processed using tgtadm, so are also vulnerable. A work-around is to disable the ability for other users to see command line parameters. See: https://debian-administration.org/article/702/Hiding_processes_from_other_users http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=0499680a42141d86417a8fbaa8c8db806bea1201 Cheers, -- Brett -- System Information: Debian Release: 8.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages tgt depends on: ii init-system-helpers 1.22 ii libc6 2.19-18+deb8u4 ii libconfig-general-perl 2.56-1 ii libibverbs1 1.1.8-1.1 ii librdmacm1 1.0.19.1-1 ii libsystemd0 215-17+deb8u4 ii lsb-base 4.1+Debian13+nmu1 ii sg3-utils 1.39-1 tgt recommends no packages. Versions of packages tgt suggests: pn tgt-glusterfs <none> pn tgt-rbd <none> -- no debconf information