Re: Is Bug#139359 really a bug ?

To: Liste debian-devel <debian-devel@lists.debian.org>
Subject: Re: Is Bug#139359 really a bug ?
From: Malcolm Parsons <malcolm@ivywell.screaming.net>
Date: Fri, 22 Mar 2002 12:36:33 +0000
Message-id: <[🔎] 20020322123633.GA4968@hor180005.uea.ac.uk>
In-reply-to: <[🔎] 20020322095024.GA953@morpheus.matrix>
References: <[🔎] 20020322095024.GA953@morpheus.matrix>

On Fri, Mar 22, 2002 at 10:50:24AM +0100, Jean-Michel Kelbert wrote:
> I received this (1) bug report yesterday. It is really easy to fix : I
> should only comment one line of code :
> 
> kdDebug (7199) << "Command : " << command << endl;

That doesn't fix the security problem.

> However this line is for debuging.  So I ask me if it is neccessary to
> consider this as a bug, and to fix it. I agree that it should be
> consider like a security failure, however, when you use smbmount in
> console you can write your password. And this isn't consider like a bug

You should pass the password to smbmount using the PASSWD environment
variable.  The command line of any process can be read from /proc by
any random user.  The environment variables can only be read by the
owner.

Reply to:

Follow-Ups:
- Re: Is Bug#139359 really a bug ?
  - From: Roland Mas <lolando@debian.org>

References:
- Is Bug#139359 really a bug ?
  - From: Jean-Michel Kelbert <kelbert@debian.org>

Prev by Date: no build attempt on (arm|m68k)
Next by Date: ITA: xfstt -- TrueType Font Server for X11
Previous by thread: Re: Is Bug#139359 really a bug ?
Next by thread: Re: Is Bug#139359 really a bug ?
Index(es):
- Date
- Thread