* [9fans] a security problem in /sys/log/*
@ 2013-03-24 9:21 arisawa
2013-03-24 9:52 ` Charles Forsyth
0 siblings, 1 reply; 3+ messages in thread
From: arisawa @ 2013-03-24 9:21 UTC (permalink / raw)
To: 9fans
Hello,
I found an error message in /sys/log/cpu such that
al Mar 19 15:25:16 can't authenticate: al: auth_proxy rpc write: p9sk1@aichi-u.ac.jp p9sk1@aichi-u.ac.jp: no key matches user=arisawa password=xxxxxxx proto=p9sk1 dom=a
where xxxxxxx is my password.
I suspect the message came from
flog("%d: no key matches %A %A %A %A", ki->fss->seqnum, attr0, attr1, attr2, attr3);
in /sys/src/cmd/auth/factotum/util.c
I think better message is desired.
Kenji Arisawa
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [9fans] a security problem in /sys/log/*
2013-03-24 9:21 [9fans] a security problem in /sys/log/* arisawa
@ 2013-03-24 9:52 ` Charles Forsyth
2013-03-24 13:16 ` arisawa
0 siblings, 1 reply; 3+ messages in thread
From: Charles Forsyth @ 2013-03-24 9:52 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
[-- Attachment #1: Type: text/plain, Size: 263 bytes --]
On 24 March 2013 09:21, arisawa <arisawa@ar.aichi-u.ac.jp> wrote:
> I think better message is desired.
Somehow you've got something using password instead of !password as an
attribute name. The ! would prevent the attribute's value from being
printed.
[-- Attachment #2: Type: text/html, Size: 562 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [9fans] a security problem in /sys/log/*
2013-03-24 9:52 ` Charles Forsyth
@ 2013-03-24 13:16 ` arisawa
0 siblings, 0 replies; 3+ messages in thread
From: arisawa @ 2013-03-24 13:16 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
Thanks Forsyth,
/sys/log/cpu is an error log. Therefore It is sure that I did something stupid.
I tried reproducing same error log, and I found Russ is very careful person.
Factotum protects against revealing users password. For example:
- protects against input such as password=xxxxxxxx (without !)
- carefully hides password in /sys/log/cpu
therefore I finally gave up reproducing the error.
Kenji Arisawa
On 2013/03/24, at 18:52, Charles Forsyth <charles.forsyth@gmail.com> wrote:
>
> On 24 March 2013 09:21, arisawa <arisawa@ar.aichi-u.ac.jp> wrote:
> I think better message is desired.
>
> Somehow you've got something using password instead of !password as an attribute name. The ! would prevent the attribute's value from being printed.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-03-24 13:16 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-03-24 9:21 [9fans] a security problem in /sys/log/* arisawa
2013-03-24 9:52 ` Charles Forsyth
2013-03-24 13:16 ` arisawa
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).