Re: Fwd: Password leaks are security holes

To: Johan Walles <johan.walles@gmail.com>
Cc: "Giacomo A. Catenazzi" <cate@debian.org>, debian-security@lists.debian.org, debian-security+ml@ngolde.de, 311772@bugs.debian.org
Subject: Re: Fwd: Password leaks are security holes
From: Mark Brown <broonie@debian.org>
Date: Thu, 28 Aug 2008 12:47:02 +0100
Message-id: <[🔎] 20080828114658.GC11132@sirena.org.uk>
Mail-followup-to: Johan Walles <johan.walles@gmail.com>, "Giacomo A. Catenazzi" <cate@debian.org>, debian-security@lists.debian.org, debian-security+ml@ngolde.de, 311772@bugs.debian.org
In-reply-to: <[🔎] 9b0752e70808280405m2aafc310r883526c6ee65e21c@mail.gmail.com>
References: <[🔎] 9b0752e70808271228j33d116b6m8c5d19af201ee591@mail.gmail.com> <20080827203237.GB4739@ngolde.de> <[🔎] 9b0752e70808280003y3d40d0bjabd62e6a75c3071c@mail.gmail.com> <[🔎] 48B65589.5080308@debian.org> <[🔎] 9b0752e70808280405m2aafc310r883526c6ee65e21c@mail.gmail.com>

On Thu, Aug 28, 2008 at 01:05:19PM +0200, Johan Walles wrote:
> 2008/8/28 Giacomo A. Catenazzi <cate@debian.org>:

> > auth.log was invented for this reason, and separated to standard log:
> > it should be readable only by root, because users do errors.

> It's readable by anybody with physical access to the hardware.

> Hard disks get stolen all the time [1], and on publicly accessible
> machines it's often possible to boot in runlevel 1 or from something
> other than the hard disk and access any files you like.  That's why
> the passwords in /etc/shadow are all hashed, rather than just being
> chmodded.

If you take this argument to its logcal conclusion it affects pretty
much any piece of software.  If you accidentally type your password into
a text editor it may save a backup file containing that password, for
example.  Type it into an IRC client by mistake and it'll become rather
more public than you might anticipate.

Once you start worrying about people with physical access to the machine
there's a whole bunch of other issues to deal with - things like SSH
private keys are also going to get exposed, for example.

-- 
"You grabbed my hand and we fell into it, like a daydream - or a fever."

Reply to:

Follow-Ups:
- Re: Fwd: Password leaks are security holes
  - From: "Giacomo A. Catenazzi" <cate@debian.org>

References:
- Password leaks are security holes
  - From: "Johan Walles" <johan.walles@gmail.com>
- Fwd: Password leaks are security holes
  - From: "Johan Walles" <johan.walles@gmail.com>
- Re: Fwd: Password leaks are security holes
  - From: "Giacomo A. Catenazzi" <cate@debian.org>
- Re: Fwd: Password leaks are security holes
  - From: "Johan Walles" <johan.walles@gmail.com>

Prev by Date: Re: Fwd: Password leaks are security holes
Next by Date: Re: Fwd: Password leaks are security holes
Previous by thread: Re: Fwd: Password leaks are security holes
Next by thread: Re: Fwd: Password leaks are security holes
Index(es):
- Date
- Thread