On Dec 15, 2006, at 12:29 AM, Jorge Godoy wrote:
> > "kuom" <[EMAIL PROTECTED]> writes: > >> I have briefly looked at the code, and it looks like TurboGears is >> using the configobj module to do most of the work, and it looks >> like a >> bigger hack than I was hoping for to work my things in there... >> >> Does anyone here have any suggestions on how I should approach >> this? I >> would like to be able to have this functionality and not have to >> re-patch TurboGears every time I run an update... > > Take a look at the setup.py script and how it "fetches" information > from > release.py. > > Anyway, if the file can be processed the information can be easily > retrieved > by an attacker. The only solution to that is some way to ask for > the password > and somehow wipe it out of caches, RAM, swap, etc. (it should never > get to > swap...). If they can poke RAM then you're totally screwed... :) Your biggest concern would be to make sure sensitive data can't be read from swap because anyone with physical access to your hard disk could retrieve loads of interesting stuff from there (try, for example, grepping your root password from your swap partition/file... seeing the result was what made me get into the healthy habit of always encrypting swap files) If using a 2.6 linux kernel you can use dm-crypt to encrypt swap and any other partition which might hold sensitive data. http://www.planamente.ch/emidio/docs/linux/dm-crypt/dm- crypt-3.html#ss3.3 Alberto --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
