[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Removing system users on purge [Re: Bits from the release team: the plans for etch]

* Don Armstrong (don@debian.org) wrote:
> On Wed, 26 Oct 2005, Javier Fernández-Sanguino Peña wrote:
> > On Wed, Oct 26, 2005 at 05:24:28PM +0200, Frank Küster wrote:
> > > What about log files with sensitive content?
> > 
> > Non-issue, as I said in the end of my post, those should be removed
> > on purge.
> The log files that are created by the default package configuration
> should be removed, but custom modifications to the configuration can
> cause logfiles to be created elsewhere that are owned by the user in
> question.

Have we actually got a specific case of this happening and there being a
real security threat from it?  Seems like an aweful lot of hand-waving
and concern for a possible scenario that doesn't seem to have actually
happened much (if it all, so far all I've seen has been pure
speculation).  An admin can set root's password to 'password' and allow
remote root login too, and that probably happens with greater frequency
than the scenario being put forth here.



Attachment: signature.asc
Description: Digital signature

Reply to: