[PATCH 2/10] Debian patch: Unknown purpose!
Steve Langasek
vorlon at debian.org
Wed May 30 22:01:29 GMT 2007
On Thu, May 31, 2007 at 06:52:54AM +1000, Andrew Bartlett wrote:
> On Wed, 2007-05-30 at 22:10 +0200, Christian Perrier wrote:
> > The attached patch is currently used in Debian.
> > I am afraid that we (at least Steve Langasek and me) have no idea of
> > what it may have be meant for.
> > We can't even tell whether it is Debian specific or not and even the
> > name doesn't help....:-|
> I remember this one...
> The first part is because you have some parinoid users who pass the
> password on the command line, but don't want the password's length
> easily guessed by how many Xs are left in the argv buffer, visible vi
> ps, after we process it. (note the race while we process it is
> unprotected).
> It would seem to me a reasonable request, except that this information
> is probably available by looking at the offset of the next argv buffer.
Heh, confirmed; I didn't realize that /proc/$pid/cmdline on Linux would
return a full buffer rather than a set of null-terminated strings. This
seems to be the case for /proc/$pid/environ as well, so both of these
measures are circumventable, at least on Linux 2.6.
Are you inclined to apply it anyway, or should we just drop it?
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon at debian.org http://www.debian.org/
More information about the samba-technical
mailing list