[Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?
Richard Pieri
richard.pieri at gmail.com
Sat Jan 31 19:29:51 EST 2015
On 1/31/2015 6:25 PM, Kent Borg wrote:
> Daemons, written in Python, on a machine I fully control.
If you fully control it then you don't need authentication.
> Because this is only used to communicate within the machine, no one
> else cares whether it changes. A file with narrow permissions is
> safer than trusting "localhost" restrictions.
Not really. For example, attacker exploits a vulnerability to briefly
acquire root shell access. Attacker uses this to do two things: read the
password and run "chattr +i ${file}". Now your attacker has the current
password and has taken a step to prevent it from being changed.
--
Rich P.
More information about the Discuss
mailing list