Paul,
> Perhaps passwords should not be echoed to the log.
LOL No kidding. :-) My initial thought was to alert *current* users of the
potential problem, and advise them of steps they could take immediately.
The code can be changed. As it stands, logging is at a point where it is
just echoing back the command entered
private boolean parseCommand(String commandRaw) {
if (commandRaw == null) return false;
getLogger().info("Command received: " + commandRaw);
...
We haven't gotten to the code that does the parsing, so we don't yet know
that the line IS a password.
I can move the log statement to after we parse out the verb. FWIW, I also
believe that this should be DEBUG, not INFO.
Anyone object to these changes?
--- Noel
-----Original Message-----
From: Paul Hammant [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 07, 2002 16:53
To: James Developers List
Subject: Re: Local security issue?
Noel,
Perhaps passwords shouldnot be echoed to the log. ***** instead ?
-ph
>Should we be warning admins that if the mail server has shell users or
>network file visibility, they need to be sure to lock down the directory
>containing the james logs, or at least the pop3server log? The reason
being
>that all commands received are echoed to the log ... including the user's
>password.
>
>Alternatively, they could be told to change the logging level from DEBUG to
>WARN.
>
>Comments?
>
> --- Noel
>
>
>--
>To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
>For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>
>
>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
