NYT on Netscape Crack
Michael Shields
shields at tembel.org
Tue Sep 19 23:49:33 PDT 1995
> The server process itself still needs access to that file
> though in order to verify passwords, so it can't be totally
> protected-- a bug in the server might reveal the password file. A
> relatively minor point..
Actually, it could communicate with a differently-privileged process.
The security gain probably isn't worth the performance hit, though.
(A possible secure channel: Give the password manager a uid of its own.
Have it listen on a unix-domain socket. The server process opens the
socket, then fstat()s it to make sure it's really owned by the password
manager.)
--
Shields.
More information about the cypherpunks-legacy
mailing list