that's no excuse for cleartext passwords in logfiles. or for mixing = logfiles with passwords in with logfiles which don't include passwords (the latter might rightly be given lighter security settings, = particularly if those logs are examined by software - or the administrator - from other boxes).
For those more interested in usability in a production environment, = change the #defines for *_LOG_FILE as illustrated below (there are about 4 different instances to change). the original line is the = one inside the #else. #ifdef BLCHAPS // smtp log path #define SMTP_LOG_FILE "smtp" SYS_SLASH_STR "smtp" #else #define SMTP_LOG_FILE "smtp" #endif logs will then be placed inside individual directories under log/, which = can have individual security settings applied more easily, and be shared selectively. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] = On Behalf Of Davide Libenzi Sent: Tuesday 23 September 2003 12:55 PM To: XMail mailing list Subject: [xmail] Re: Hide password in log On Tue, 23 Sep 2003, Michal Altair Valasek wrote: > > Hello, > > |> I have enabled POP logs. Is there any way to hide passwords=3D20 > |in that log? > | > |What about setting the correct permissions to MAIL_ROOT ? > > It's the immediate solution, but the basic security rule is not to=20 > give =3D a chance - and no not rely on one thing. It's why you should=20 > patch your =3D server > even when you're behind firewall. And why you should not store = sensitive > data secured only by access rights.=3D20 > > Especially when you recommend to run XMail in SYSTEM security context, = > =3D and thus allow access to anyone running the same context - for=20 > example any =3D other > similar server software, which may have a security hole. Look, if someone get root/SYSTEM in your machine, hiding passwords from = a log file does not help at all. Password cannot be hashed since they're required in plain when doing POP3/IMAP auths, and this can = have the attacker to get them. A root/SYSTEM can do anything he wants on your machine, and this is by definition. - Davide - To unsubscribe from this list: send the line "unsubscribe xmail" in the = body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to = [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
