On Tue, 28 Jun 2011 07:30:15 +0200 Elias Oltmanns <e...@nebensachen.de> wrote:
Guten Morgen Elias, > Stevan Bajić <ste...@bajic.ch> wrote: > > On Sun, 26 Jun 2011 13:26:11 +0200 > > Elias Oltmanns <e...@nebensachen.de> wrote: > > > > I fail to see why the maintenance script should leak passwords? Can you > > provide a scenario in which the password would be leaked? > > Sorry, the changelog entry turns out to be rather less informative than > I had intended. Anyone who manages to execute > $ ps ax > at the right time (tm) can get hold of the db access password used in > the mainenance script; it will appear in the argument list to one of the > script's subprocesses. > > Admittedly, the chance is very slim, especially when /tmp is on shm, and > the attacker would need access to a user account on the machine running > dspam. All the same, we needn't rely on chances and this is a cronjob, > after all. > okay. I will look after work at that issue. IMHO exposing the password to everyone with 'ps ax' is not good. We should, no! We must avoid that. > Regards, > > Elias > -- Kind Regards from Switzerland, Stevan Bajić ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Dspam-devel mailing list Dspam-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspam-devel
