Re: Security Problems of using Pro-C
Date: 13 Jan 1994 04:16:03 -0600
Message-ID: <CJKCCo.7nq_at_uk.ac.brookes>
Brian Sachar (sachar_at_iserv.melpar.esys.com) wrote:
> alacy_at_hayes.com writes:
> >1. Hard code the name and password. This is not considered as valid
> > solution.
> >2. Pass the name and password as parameters to the Pro-C program. The
> > problem with this option is that anyone with access to the Unix
> > command "ps" can easily see the parameters.
> >3. Store the name and password as environment variables and have the
Pro-C program look there for them. The problem with this is there is an option to "ps" to which will show the environment.
> Method 3 is probably a safer bet than Method 2 because some versions
> of "ps" do not have the environment option.
But if you know that your version of ps does have this option?
> Another possibility is to use the "<<" operator to pass the password
> through standard input. For example,
> I'm not sure of any security problems with using standard input,
> but I'm sure there are some...
Option 5: use OPS$ accounts, and then the username and password are simply /, and everbody's happy!
-- _________________________ __________________________________________ / Tommy Wareing \ / I've been looking for an original sin, \ | p0070621_at_brookes.ac.uk X One with a twist and a bit of a spin | \ 0865-483389 / \ -- Pandora's Box, Jim Steinman / ~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Received on Thu Jan 13 1994 - 11:16:03 CET