Re: ps shows user/password under Unix - SUMMARY

From: Rich Cannon <Rich.Cannon_at_ColumbiaSC.NCR.COM>
Date: Wed, 2 Feb 1994 16:59:29 GMT
Message-ID: <CKLwJ5.4rt_at_ncrcae.ColumbiaSC.NCR.COM>

>In article <1994Jan25.164014.10370_at_exlog.com> Lee Parsons writes:
>A number of people contacted me regarding thier experiences with
>the ps command revealing username password combinations. With only
>one exception all systems that did reveal the password are ATT
>based systems and those that did not are BSD.
>
>(I think the one exception was a communcation error on my part.
> It contradicts my direct experence and is noted below.)
>
>Apparently under ATT derived systems the process information shown
>by ps is owned by the kernel while under BSD ps shows the user's
>verson of the process list. Therefor oracle is unable to change
>the process list under ATT because it doesn't have the write
>access required.
>

On our NCR box (with AT&T unix) we have two versions of ps one with restricted access (/usr/sbin) and one with root access (/usr/bin). By using the restricted ps we have eliminated this security hole.

Rich Cannon -- AT&T GIS CSM&D Columbia *
DUKE '92 -- Now an Oracle Hostage *

Received on Wed Feb 02 1994 - 17:59:29 CET

This message: [ Message body ]
Next message: Kyle Cunningham: "Problem with SQLMENU50"
Previous message: David Clement: "Re: ORACLE 7 DB Trigger Error Messages"
Next in thread: Lee Parsons: "Re: ps shows user/password under Unix - SUMMARY"
Reply: Lee Parsons: "Re: ps shows user/password under Unix - SUMMARY"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message