On Dec 18, 2006, at 5:51 PM, Fargo Holiday wrote:
I feel I should point out that, even without an interface, you
could expose security vulnerabilities. For instance, if you use the
echo <password>|sudo -S method, it usually displays the password
that was echoed when you look at the processes, say via ps. This is
sort of a bad thing, since any application or person could,
conceptually, run ps and immediately have the user's password. So,
the concern isn't about what can be done to your application, but
rather what can be done to the system because of the application.
But ... by using a quick command as the entry mask to the sudo call,
the opportunity for discovery is dramatically lessened:
// execute a really quick command
mShell.Execute "echo " + myPassword + " | sudo -S /usr/bin/true"
// that command will most probably NOT show up in a ps ax command call
mShell.Execute "sudo the_real_command" // password is not required
for this call
// handle the mShell.ErrorCode and Result
mShell.Execute "sudo -K"
// That last one resets the sudo "no password" allowance
Not the 100%, absolutely secure solution, but it will cover you for
99.99% of the instances required.
Tim
--
Tim Jones
[EMAIL PROTECTED]
_______________________________________________
Unsubscribe or switch delivery mode:
<http://www.realsoftware.com/support/listmanager/>
Search the archives of this list here:
<http://support.realsoftware.com/listarchives/lists.html>
