[K12OSN] How to access Gnome-mounted servers?
Alex deVries
alexthepuffin at gmail.com
Wed Apr 4 17:35:22 UTC 2007
On 4/4/07, Peter Scheie <peter at scheie.homedns.org> wrote:
> Is passing it as a parameter really less secure than having afp_client
> prompt for the password? Where is the vulnerability? In our case we
> have a script that the users call that pops up a GUI prompt for the PW
> and then the script passes the PW as a parameter. From a security
> standpoint, is this really any different than letting afp_client prompt
> for the PW?
Yes, putting it on the command line is less secure, it makes it pretty
easy to grab. Someone could just get it from the process table, which
isn't protected from other users.
There are other vulnerabilities in that afpfsd retains the raw
password, but that password is only available to that specific user.
I'll fix this in a later release, it's not that hard.
- Alex
More information about the K12OSN
mailing list