Bernd Walter wrote: > On Fri, Jul 12, 2002 at 10:23:35PM +0100, void wrote: > > On Wed, Jul 10, 2002 at 02:30:19PM +0200, Bogdan TARU wrote: > > > > > > Hi guys, > > > > > > I have just rebooted my machine, and immediately after boot I have run > > > 'sysctl -a' as an usual user. Well, in 'kern.msgbuf' I have found the > > > whole master.passwd file, with combinations of usernames/passwords. Isn't > > > that a security threat? > > > > Do you know how it got in there in the first place? I'd say that's the > > security problem. > > I would asume something like editing the passwd in single use mode. > kern.msgbuf should be closed for non root users - IMO.
The real problem is that a year or so ago phk added code that unconditionally logged the /dev/console output in the msgbuf so that it could be logged as /var/log/console.log. This is one of the unfortunate side effects. Another one is that /dev/console output blows away the boot messages. I've been looking for an excuse to disable and/or reimplement this properly for ages, but it never got urgent enough. IMHO, the console output should go to a seperate buffer [which is restricted to root-only], and uses a different output channel to syslogd. Cheers, -Peter -- Peter Wemm - [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] "All of this is for nothing if we don't go to the stars" - JMS/B5 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
