Unsticking foot for 60 seconds - and, yes, this time I checked before I blab. Let's hope I checked enough:
On Thu, Oct 1, 2009 at 11:25 PM, Michael D. Adams <mdmko...@gmail.com> wrote: > Any normal user on a Linux machine would be able to see 'ps -f'. But > to 'cat' the keyfile or coredump the app, they would need to either for cat I don't need to be root; all it takes is a simple mistake in the file access rights for world or group. I can cat a file with world rights if I know it's path and that can be deduced from the ps output. When I'm in the same group as the owner, same again, but now for group rights, so something like chmod 0400 keyfile would be mandatory when creating it. and, yup, coredumping and such takes more effort. Was just thinking out loud. The point of my original blurb was to hint that going keyfile is not improving security all that much, at least not in arenas where terms like 'cryptographic strength' etc. come into play as well; generating a MAC is using crypto, so you're landed in that arena at least implicitly. Crypto folks tend to regard the word 'security' differently than others, at least we're I am; it's like regular people 'thanking them' versus a navy captain 'thanking them' (at least that's the literal translation for it from Dutch; don't know the precise US or English military lingo for this) - /exact/ same words, /quite/ different impact. (Hint: in the latter case you won't get a handshake, once there's time you'll get a salute, but it might take a while. There might be medals for you, though.) Alas, enough of this already. One bloody word, such a mess. At least now I know why PC popped into my brain back then. Simple words. Big messes. >From a pure usage perspective, having the test tools support a commandline format for keys where you can say things like 'literal:mykey' or 'file:keyfile' to the same command option is a nice idea to have throughout. Hm, maybe a patch for that can appease my lordship(s) ;-) Sticking foot back in... -- Met vriendelijke groeten / Best regards, Ger Hobbelt -------------------------------------------------- web: http://www.hobbelt.com/ http://www.hebbut.net/ mail: g...@hobbelt.com mobile: +31-6-11 120 978 -------------------------------------------------- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
