[rt-users] Security risk! Passwords can be compromised!
Matthew Seaman
matthew.seaman at thebunker.net
Wed Feb 4 03:06:34 EST 2009
Isaac Vetter wrote:
>> The docs for 'LogStackTrace' have been updated as follows. How do
>> folks feel about the new notice?
>>
>> If set then logging will include stack
>> traces for messages with level equal or greater than
>> specified.
>>
>> NOTICE: Stack traces include parameters that functions or methods
>> were called with. It is possible for stack trace logging to reveal sensitive
>> information such as passwords and ticket content in your logs.
>
> Jesse,
>
> Since you're asking (and towards the goal of something useful coming from
> this thread). :)
>
> I would say that, in this case, you shouldn't end a sentence with a
> preposition.
>
> How about:
> "Stack traces include the parameters of called functions."
> or
> "Stack traces include the parameters used within methods and functions."
> or
> ...
One idea I've seen and quite like is what OpenLDAP does. Passwords and
other security tokens are Base64 encoded in all output[*]. Sure it's a
trivial encoding that anyone could decode in moments, but it prevents
people trivially reading passwords over your shoulder when they are
displayed on your screen.
Cheers,
Matthew
[*] Actually I think this is primarily because those object classes are
defined as containing non-ascii data, rather than specifically as a
security measure. It's a handy side-effect though.
--
Dr Matthew Seaman The Bunker, Ash Radar Station
PGP: 0x60AE908C on servers Marshborough Rd
Tel: +44 1304 814890 Sandwich
Fax: +44 1304 814899 Kent, CT13 0PL, UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20090204/51434f9f/attachment.sig>
More information about the rt-users
mailing list