|Summary:||straces and related info|
|Product:||Gentoo Linux||Reporter:||Tobias Klausmann (RETIRED) <klausman>|
|Component:||Current packages||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Tobias Klausmann (RETIRED) 2003-12-04 02:14:57 UTC
I noticed that some developers ask bug reporters for straces and similar information. While strace is an invaluable tool, it also contain risks. For instance, someone might have trouble with xscreensaver. After being asked to to send in an strace of the failing program run, the user does so, not actually knowing what strace does. This strace might contain plain-text passwords of the bug reporter. I suggest educating developers about this issue. They should warn people about possibly sensitive information being transferred in this way. The same goes for core dumps. I have witnessed at least one occasion where a plaintext password landed in open view for the world on Gentoo Bugzilla. Even including the user name that goes with it. I have informed the user about it.
Comment 1 solar (RETIRED) 2003-12-10 14:06:51 UTC
Tobias, You should always read man files before running any command regardless of who told you to run it. I suggest you audit your own data before you POST it in the future. changing resolution to INVALID.
Comment 2 SpanKY 2003-12-10 18:45:08 UTC
i e-mailed this bug to gentoo-dev so that other developers would think about such things before asking for straces ... yes users should audit their own stuff but as developers supporting a distribution we cant rely on end users knowing everything
Comment 3 Tobias Klausmann (RETIRED) 2003-12-11 01:02:21 UTC
Solar: Er, one second. I /didn't/ submit any such data. I witnessed others doing so. And I feel that it'd be just curteous to explain people willing to help what the implications of a command that a dev asked for are. For example "Please send in an strace, but make sure you don't have any real authentication data in your application." I know that this is not always possible. Still, I think that a large number of devs just aren't really aware about this issue. Further, if a dev sees such a submission (an strace containing auth info), privately mailing the submittor and maybe asking the Bugzilla dmin to remove/fix this submission isn't asking for too much, IMHO. SpanKY: Thanks.
Comment 4 solar (RETIRED) 2003-12-12 17:47:54 UTC
Tobias, err sorry here guy (been sick). I misunderstood your request initially. Anyway as you feel pretty strong about this issue I encourage you to help raise awareness on this issue by sending mail to our -dev and various other lists to help make both devs and end users aware. SpankY thank you for sending a link to this bug.
Comment 5 Tobias Klausmann (RETIRED) 2003-12-13 04:06:33 UTC
Solar: I've contacted the GWN people about it. I think writing about it/explaining the implications in GWN might get the thought across to a large number of people. As for the misunderstanding: no hard feelings, we're all just humans (I think) ;)