From mboxrd@z Thu Jan 1 00:00:00 1970 From: arisawa Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-Id: <53BAB592-B277-407D-9522-EADF9D77808A@ar.aichi-u.ac.jp> Date: Sun, 24 Mar 2013 18:21:18 +0900 To: 9fans@9fans.net Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Subject: [9fans] a security problem in /sys/log/* Topicbox-Message-UUID: 3264707c-ead8-11e9-9d60-3106f5b1d025 Hello, I found an error message in /sys/log/cpu such that al Mar 19 15:25:16 can't authenticate: al: auth_proxy rpc write: = p9sk1@aichi-u.ac.jp p9sk1@aichi-u.ac.jp: no key matches user=3Darisawa = password=3Dxxxxxxx proto=3Dp9sk1 dom=3Da where xxxxxxx is my password. I suspect the message came from flog("%d: no key matches %A %A %A %A", ki->fss->seqnum, attr0, attr1, = attr2, attr3); in /sys/src/cmd/auth/factotum/util.c I think better message is desired. Kenji Arisawa From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: <53BAB592-B277-407D-9522-EADF9D77808A@ar.aichi-u.ac.jp> References: <53BAB592-B277-407D-9522-EADF9D77808A@ar.aichi-u.ac.jp> Date: Sun, 24 Mar 2013 09:52:51 +0000 Message-ID: From: Charles Forsyth To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: multipart/alternative; boundary=000e0ce03872cd990c04d8a8a634 Subject: Re: [9fans] a security problem in /sys/log/* Topicbox-Message-UUID: 33233b2e-ead8-11e9-9d60-3106f5b1d025 --000e0ce03872cd990c04d8a8a634 Content-Type: text/plain; charset=UTF-8 On 24 March 2013 09:21, arisawa wrote: > I think better message is desired. Somehow you've got something using password instead of !password as an attribute name. The ! would prevent the attribute's value from being printed. --000e0ce03872cd990c04d8a8a634 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

= On 24 March 2013 09:21, arisawa <arisawa@ar.aichi-u.ac.jp> wrote:
I think better message is desired.

Somehow you've got something using password instead of !pa= ssword as an attribute name. The ! would prevent the attribute's value = from being printed.
--000e0ce03872cd990c04d8a8a634-- From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) From: arisawa In-Reply-To: Date: Sun, 24 Mar 2013 22:16:53 +0900 Content-Transfer-Encoding: quoted-printable Message-Id: <2428FA36-6C18-4190-8D03-51410FC51A61@ar.aichi-u.ac.jp> References: <53BAB592-B277-407D-9522-EADF9D77808A@ar.aichi-u.ac.jp> To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Subject: Re: [9fans] a security problem in /sys/log/* Topicbox-Message-UUID: 333a6c9a-ead8-11e9-9d60-3106f5b1d025 Thanks Forsyth, /sys/log/cpu is an error log. Therefore It is sure that I did something = stupid.=20 I tried reproducing same error log, and I found Russ is very careful = person. Factotum protects against revealing users password. For example: - protects against input such as password=3Dxxxxxxxx (without !) - carefully hides password in /sys/log/cpu therefore I finally gave up reproducing the error. Kenji Arisawa On 2013/03/24, at 18:52, Charles Forsyth = wrote: >=20 > On 24 March 2013 09:21, arisawa wrote: > I think better message is desired. >=20 > Somehow you've got something using password instead of !password as an = attribute name. The ! would prevent the attribute's value from being = printed.