[Opensim-dev] ConsoleClient -pass option
Dickson, Mike (ISS Software)
mike.dickson at hp.com
Fri Sep 4 14:33:26 UTC 2009
Right. That gets around the issue. BTW, if the server is running SNMP or something that gives access to the process list this problem can leak outside the local machine. I don't for sure but I'm guessing you could have the same issue in Windows with WMI.
IMO, the right answer is to dump the consoles, beef up the XML/RPC admin interface and if desired do a separate "console app" that parses and sends the XML/RPC to the server. I've been noodling on that but still struggling with a stable config with the new "BUST" architecture.
Mike
-----Original Message-----
From: opensim-dev-bounces at lists.berlios.de [mailto:opensim-dev-bounces at lists.berlios.de] On Behalf Of Dr Scofield
Sent: Friday, September 04, 2009 3:19 AM
To: opensim-dev at lists.berlios.de
Subject: Re: [Opensim-dev] ConsoleClient -pass option
Dickson, Mike (ISS Software) wrote:
> I'd agree with Dave on this one. Just a simple long ps listing gets you the password if its on cleartext on the command line. At least the file can be locked down via permissions. A password on the command line is pretty much insecure. Might as well not have one.
...unless you rewrite argv (which is standard practise for stuff like that).
DrS/dirk
>
> Mike
>
> -----Original Message-----
> From: opensim-dev-bounces at lists.berlios.de [mailto:opensim-dev-bounces at lists.berlios.de] On Behalf Of Melanie
> Sent: Thursday, September 03, 2009 10:02 PM
> To: opensim-dev at lists.berlios.de
> Subject: Re: [Opensim-dev] ConsoleClient -pass option
>
> It's choosing the lesser evil.
>
> Melanie
>
>
> Dave Coyle wrote:
>> On Thursday 03 September 2009 03:00:46 pm wrote:
>>> commit 6b70b5709913e9734f5864560e997b34dfd58b85
>>> Author: Justin Clark-Casey (justincc) <jjustincc at googlemail.com>
>>> Date: Thu Sep 3 20:00:18 2009 +0100
>>>
>>> * Add extra warning about using -pass in
>>> OpenSim.ConsoleClient.ini.example
>>>
>>> <...>
>>>
>>> + ; Please be aware that this is not secure since the password is in the
>>> clear + ; we recommend the use of -pass wherever possible
>>> ;pass = secret
>>
>> Is the password not also in the clear, visible to any local user who does a
>> 'ps', if you use the -pass switch? Access to OpenSim.ConsoleClient.ini can at
>> least be restricted to specific user(s). I don't see how -pass is the lesser
>> of the two evils.
>>
>> -coyled
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Opensim-dev mailing list
>> Opensim-dev at lists.berlios.de
>> https://lists.berlios.de/mailman/listinfo/opensim-dev
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
--
dr dirk husemann ---- virtual worlds research ---- ibm zurich research lab
SL: dr scofield ---- drscofield at xyzzyxyzzy.net ---- http://xyzzyxyzzy.net/
RL: hud at zurich.ibm.com - +41 44 724 8573 - http://www.zurich.ibm.com/~hud/
_______________________________________________
Opensim-dev mailing list
Opensim-dev at lists.berlios.de
https://lists.berlios.de/mailman/listinfo/opensim-dev
More information about the Opensim-dev
mailing list