[9fans] a security problem in /sys/log/*

Discussion:

(too old to reply)

arisawa

2013-03-24 09:21:18 UTC

Hello,

I found an error message in /sys/log/cpu such that
al Mar 19 15:25:16 can't authenticate: al: auth_proxy rpc write: ***@aichi-u.ac.jp ***@aichi-u.ac.jp: no key matches user=arisawa password=xxxxxxx proto=p9sk1 dom=a
where xxxxxxx is my password.

I suspect the message came from
flog("%d: no key matches %A %A %A %A", ki->fss->seqnum, attr0, attr1, attr2, attr3);
in /sys/src/cmd/auth/factotum/util.c

I think better message is desired.

Kenji Arisawa

Charles Forsyth

2013-03-24 09:52:51 UTC

Permalink

Post by arisawa
I think better message is desired.

Somehow you've got something using password instead of !password as an
attribute name. The ! would prevent the attribute's value from being
printed.

arisawa

2013-03-24 13:16:53 UTC

Permalink

Thanks Forsyth,

/sys/log/cpu is an error log. Therefore It is sure that I did something stupid.
I tried reproducing same error log, and I found Russ is very careful person.
Factotum protects against revealing users password. For example:
- protects against input such as password=xxxxxxxx (without !)
- carefully hides password in /sys/log/cpu
therefore I finally gave up reproducing the error.

Kenji Arisawa

Post by arisawa
I think better message is desired.
Somehow you've got something using password instead of !password as an attribute name. The ! would prevent the attribute's value from being printed.

Continue reading on narkive:

Search results for '[9fans] a security problem in /sys/log/*' (Questions and Answers)

replies

System security virus problems?

started 2009-05-19 14:19:30 UTC

security

replies

I reset my computer but now i have lost my Norton security is there anyway to get it back?

started 2008-06-29 11:42:00 UTC

security

replies

having problems with my cd-rw not copying audio to disc can anyone decipher this and come up with a solution?