[PATCH 2/10] Debian patch: Unknown purpose!

Steve Langasek vorlon at debian.org
Wed May 30 22:01:29 GMT 2007

On Thu, May 31, 2007 at 06:52:54AM +1000, Andrew Bartlett wrote:
> On Wed, 2007-05-30 at 22:10 +0200, Christian Perrier wrote:
> > The attached patch is currently used in Debian.

> > I am afraid that we (at least Steve Langasek and me) have no idea of
> > what it may have be meant for.

> > We can't even tell whether it is Debian specific or not and even the
> > name doesn't help....:-|

> I remember this one...

> The first part is because you have some parinoid users who pass the
> password on the command line, but don't want the password's length
> easily guessed by how many Xs are left in the argv buffer, visible vi
> ps, after we process it.  (note the race while we process it is
> unprotected).

> It would seem to me a reasonable request, except that this information
> is probably available by looking at the offset of the next argv buffer. 

Heh, confirmed; I didn't realize that /proc/$pid/cmdline on Linux would
return a full buffer rather than a set of null-terminated strings.  This
seems to be the case for /proc/$pid/environ as well, so both of these
measures are circumventable, at least on Linux 2.6.

Are you inclined to apply it anyway, or should we just drop it?

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at debian.org                                   http://www.debian.org/

More information about the samba-technical mailing list