Re: [xml] security issue.

From: Daniel Veillard <veillard redhat com>
To: laavanya <laavanya gopalan wipro com>
Cc: aleksey aleksey org, xml gnome org, anju premachandran wipro com, rohit <rohit raveendran wipro com>
Subject: Re: [xml] security issue.
Date: Fri, 19 Jul 2002 09:00:04 -0400

On Fri, Jul 19, 2002 at 03:21:10PM +0530, laavanya wrote:

Hi,

 The problem of the environment variables of an user being visible to the
other users, without the user having to hack into the environment still
exists in Solaris. The /usr/ucb/ps command helps here.

 Executing "/usr/ucb/ps uxgaeww" lists out all the environment variables
and their values used by all the users currently logged in to the system,
including root's.

This /usr/ucb/ps call is present for compatibility with BSD.

 So, now as we can see the env through the /usr/ucb/ps command, the
FTP username and password of a user is visible to all. Isn't this an issue ?


  Those two environement variables are somewhat standard, they 
are used by libwww too and a few other apps. Now if you can't 
trust environemnt variables, don't use them to store passwords.
And if you can't trust your OS about preserving specific details
of your environemnt private, IMHO it's time to switch to another OS !

  Again I don't see why this problem is libxml2 related !
You don't have to use the environment variables, there are internal
ways to set those values. It's just the common way to do this.

Daniel

-- 
Daniel Veillard      | Red Hat Network https://rhn.redhat.com/
veillard redhat com  | libxml GNOME XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/

References:
- Re: Re: [xml] security issue.
  - From: laavanya

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]