BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?
- Subject: [Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?
- From: richard.pieri at gmail.com (Richard Pieri)
- Date: Sat, 31 Jan 2015 19:29:51 -0500
- In-reply-to: <54CD6472.4010205@borg.org>
- References: <54CCF4A4.6040703@borg.org> <BN3PR0401MB12047C55630B33A85B6EDACCDC3E0@BN3PR0401MB1204.namprd04.prod.outlook.com> <54CD6472.4010205@borg.org>
On 1/31/2015 6:25 PM, Kent Borg wrote:
> Daemons, written in Python, on a machine I fully control.
If you fully control it then you don't need authentication.
> Because this is only used to communicate within the machine, no one
> else cares whether it changes. A file with narrow permissions is
> safer than trusting "localhost" restrictions.
Not really. For example, attacker exploits a vulnerability to briefly
acquire root shell access. Attacker uses this to do two things: read the
password and run "chattr +i ${file}". Now your attacker has the current
password and has taken a step to prevent it from being changed.
--
Rich P.
- References:
- [Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?
- From: kentborg at borg.org (Kent Borg)
- [Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?
- From: kentborg at borg.org (Kent Borg)
- [Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?
- Prev by Date: [Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?
- Previous by thread: [Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?
- Next by thread: [Discuss] securing API passwords
- Index(es):
