Interesting way of doing it. Also, as I mentioned earlier, you can keep
the password in a protected file and use cat to read that to stdin,
wherein the process list just shows the filename, if I recall correctly.
Not great, but not bad. Mostly I wanted to bring attention to the idea
that when security issues are mentioned it isn't necessarily in regards
to protecting the application, but rather the system.
Later,
Fargo
Tim Jones wrote:
On Dec 18, 2006, at 5:51 PM, Fargo Holiday wrote:
I feel I should point out that, even without an interface, you could
expose security vulnerabilities. For instance, if you use the echo
<password>|sudo -S method, it usually displays the password that was
echoed when you look at the processes, say via ps. This is sort of a
bad thing, since any application or person could, conceptually, run
ps and immediately have the user's password. So, the concern isn't
about what can be done to your application, but rather what can be
done to the system because of the application.
But ... by using a quick command as the entry mask to the sudo call,
the opportunity for discovery is dramatically lessened:
// execute a really quick command
mShell.Execute "echo " + myPassword + " | sudo -S /usr/bin/true"
// that command will most probably NOT show up in a ps ax command
call
mShell.Execute "sudo the_real_command" // password is not required
for this call
// handle the mShell.ErrorCode and Result
mShell.Execute "sudo -K"
// That last one resets the sudo "no password" allowance
Not the 100%, absolutely secure solution, but it will cover you for
99.99% of the instances required.
Tim
--
Tim Jones
[EMAIL PROTECTED]
_______________________________________________
Unsubscribe or switch delivery mode:
<http://www.realsoftware.com/support/listmanager/>
Search the archives of this list here:
<http://support.realsoftware.com/listarchives/lists.html>
_______________________________________________
Unsubscribe or switch delivery mode:
<http://www.realsoftware.com/support/listmanager/>
Search the archives of this list here:
<http://support.realsoftware.com/listarchives/lists.html>
