Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 35037

Summary: straces and related info
Product: Gentoo Linux Reporter: Tobias Klausmann (RETIRED) <klausman>
Component: Current packagesAssignee: Gentoo Security <security>
Severity: critical    
Priority: High    
Version: 1.0   
Hardware: All   
OS: All   
Package list:
Runtime testing required: ---

Description Tobias Klausmann (RETIRED) gentoo-dev 2003-12-04 02:14:57 UTC
I noticed that some developers ask bug reporters for straces and similar information. While strace is an invaluable tool, it also contain risks.

For instance, someone might have trouble with xscreensaver. After being asked to to send in an strace of the failing program run, the user does so, not actually knowing what strace does. 

This strace might contain plain-text passwords of the bug reporter. 

I suggest educating developers about this issue. They should warn people about possibly sensitive information being transferred in this way. The same goes for core dumps. I have witnessed at least one occasion where a plaintext password landed in open view for the world on Gentoo Bugzilla. Even including the user name that goes with it. I have informed the user about it.
Comment 1 solar (RETIRED) gentoo-dev 2003-12-10 14:06:51 UTC

You should always read man files before running any command regardless 
of who told you to run it. 
I suggest you audit your own data before you POST it in the future.

changing resolution to INVALID.
Comment 2 SpanKY gentoo-dev 2003-12-10 18:45:08 UTC
i e-mailed this bug to gentoo-dev so that other developers would think about such things before asking for straces ...

yes users should audit their own stuff but as developers supporting a distribution we cant rely on end users knowing everything
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2003-12-11 01:02:21 UTC
Solar: Er, one second. I /didn't/ submit any such data. I witnessed others doing so. And I feel that it'd be just curteous to explain people willing to help what the implications of a command that a dev asked for are.

For example "Please send in an strace, but make sure you don't have any real authentication data in your application." I know that this is not always possible. Still, I think that a large number of devs just aren't really aware about this issue.

Further, if a dev sees such a submission (an strace containing auth info), privately mailing the submittor and maybe asking the Bugzilla dmin to remove/fix this submission isn't asking for too much, IMHO.

SpanKY: Thanks.
Comment 4 solar (RETIRED) gentoo-dev 2003-12-12 17:47:54 UTC
err sorry here guy (been sick). I misunderstood your request initially.

Anyway as you feel pretty strong about this issue I encourage you to 
help raise awareness on this issue by sending mail to our -dev and
various other lists to help make both devs and end users aware.

SpankY thank you for sending a link to this bug.
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2003-12-13 04:06:33 UTC
Solar: I've contacted the GWN people about it. I think writing about it/explaining the implications in GWN might get the thought across to a large number of people.

As for the misunderstanding: no hard feelings, we're all just humans (I think) ;)