Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932659AbVIEJgN (ORCPT ); Mon, 5 Sep 2005 05:36:13 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S932662AbVIEJgM (ORCPT ); Mon, 5 Sep 2005 05:36:12 -0400 Received: from ns.firmix.at ([62.141.48.66]:11740 "EHLO ns.firmix.at") by vger.kernel.org with ESMTP id S932661AbVIEJgK (ORCPT ); Mon, 5 Sep 2005 05:36:10 -0400 Subject: Re: forbid to strace a program From: Bernd Petrovitsch To: Andreas Hartmann Cc: linux-kernel@vger.kernel.org In-Reply-To: References: <4IOGw-1DU-11@gated-at.bofh.it> <4IOGw-1DU-13@gated-at.bofh.it> <4IOGw-1DU-9@gated-at.bofh.it> <4IOQc-1Pk-23@gated-at.bofh.it> Content-Type: text/plain Organization: Firmix Software GmbH Date: Mon, 05 Sep 2005 11:36:05 +0200 Message-Id: <1125912965.27110.34.camel@tara.firmix.at> Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 (2.2.3-2.fc4) Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1499 Lines: 37 On Sun, 2005-09-04 at 09:32 +0200, Andreas Hartmann wrote: > Chase Venters wrote: [...] > > > > Can I ask why you want to hide the database password from root? > > It's easy: for security reasons. There could always be some bugs in some > software, which makes it possible for some other user, to gain root > privileges. Now, they could easily strace for information, they shouldn't Forget it. You cannot hide anything seriously from root (or equivalent users on other OSes and so-called OSes) with such attempts (independent how the process got root - with the correct password or through a security hole somewhere). Consider the case that root installed a (patched) DB-server which dumps the passwords in some logfile. Or root logs from the authentication framework (be it PAM or something else) > could do it. The password they could see, isn't just used for the DB, but > for some other applications, too. That's the disadvantage of general > (single sign on) passwords. So either you get your own machine or you use different passwords for different services. Bernd -- Firmix Software GmbH http://www.firmix.at/ mobil: +43 664 4416156 fax: +43 1 7890849-55 Embedded Linux Development and Services - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/