Just because someone CAN get to the files doesn't mean it should be easy. Passwords should either be removable from the log as an option or hashed (or both :-) ) I admit it sometimes very handy to check for spelling mistakes in passwords, but leaving them out would be nice too.
-----Oorspronkelijk bericht----- Van: Davide Libenzi [mailto:[EMAIL PROTECTED] Verzonden: dinsdag 23 september 2003 19:55 Aan: XMail mailing list Onderwerp: [xmail] Re: Hide password in log On Tue, 23 Sep 2003, Michal Altair Valasek wrote: > > Hello, > > |> I have enabled POP logs. Is there any way to hide passwords=3D20 > |in that log? > | > |What about setting the correct permissions to MAIL_ROOT ? > > It's the immediate solution, but the basic security rule is not to give =3D > a > chance - and no not rely on one thing. It's why you should patch your =3D > server > even when you're behind firewall. And why you should not store sensitive > data secured only by access rights.=3D20 > > Especially when you recommend to run XMail in SYSTEM security context, =3D > and > thus allow access to anyone running the same context - for example any =3D > other > similar server software, which may have a security hole. Look, if someone get root/SYSTEM in your machine, hiding passwords from a log file does not help at all. Password cannot be hashed since they're required in plain when doing POP3/IMAP auths, and this can have the attacker to get them. A root/SYSTEM can do anything he wants on your machine, and this is by definition. - Davide - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
