root password prompts

Thu May 27 07:27:19 UTC 2010

Rahul Sundaram wrote:
> On 05/27/2010 11:47 AM, Mike McCarty wrote:
>> Patrick O'Callaghan wrote:
>>   
>>> IOW it remembers it by logging it. How else would it do it except by
>>> recording it in a file?
>>>     
>> I'm not interested in argumentation. It does not remember passwords,
>> period.
>>   
> 
> I am not sure how you can declare that when it is obvious the
> functionality is there.  Perhaps the argument here is about semantics. 

All programs which prompt for, and receive, passwords in clear
text form go to extra lengths to make sure that they do NOT
"remember" passwords in any form. They overwrite the input
buffers used, for example. Any program which receives passwords
in clear text and doesn't make sure not to "remember" the
passwords should have its metaphorical wrist slapped, since it
creates a potential security breach.

The fellow I responded to is contributing to a thread which
concerns precise differences between how different tools
handle security. He already wrote one inaccurate statement,
from which I infer that he is not writing very clearly, and
possibly not thinking very clearly, about what takes place
when these programs run, to wit, implying that sudo prompts
for root's password, which it does not. When I tried to
"read behind" what he wrote, which was obviously inaccurate,
and supposed that he meant "su", he corrected me, reinforcing
my belief that he was not giving due consideration to what
he is writing.

As a consequence, since I've already been corrected when trying,
inaccurately, to figure a way for his statements to make sense,
I no longer intend to do so. I believe he means what he writes,
but he isn't thinking clearly about what he writes. So, if it's
inaccurate, it's inaccurate, and I'm not going to try to guess
as what he might have meant, which might have been correct, but
was not what he wrote. That is, if it makes a difference to the
thread.

I'm not interested in egoes, or posturing, or whatever. I just
want to help someone who knows less about how these security
programs work to understand better. That won't happen when
inaccurate and unclear or ambiguous statments are being made.

I am not going to argue about anything. If he can show me where
in the source sudo "remembers passwords" I'll recant. If he can't
do that, then he should simply admit that he misspoke, and be
a little more careful. I'm not trying to save my ego, either,
nor prove that I, or anyone else, is right or wrong.

I just don't want to see inaccurate information spread, like
sudo "remembers passwords" when it goes to some length to make
sure that it does not.

Mike
-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I speak only for myself, and I am unanimous in that!