james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noel J. Bergman" <n...@devtech.com>
Subject RE: Local security issue?
Date Fri, 07 Jun 2002 22:30:35 GMT
No kidding!  I was rather surprised, but I figured it is just under
development and used for debugging (plus, it can always be addressed by
appropriate access rights).  Still, it does need to be fixed.

Remember ... this is the raw command, and I think of it as a debugging aid.
I don't know how much of any of it is needed in a production server.  The
kind of thing you were mentioning is a different kind of warning (e.g.,
reporting a security concern).

	--- Noel

-----Original Message-----
From: Paul Hammant [mailto:Paul_Hammant@yahoo.com]
Sent: Friday, June 07, 2002 17:41
To: James Developers List
Subject: Re: Local security issue?

Noel J. Bergman wrote:

>>Perhaps passwords should not be echoed to the log.
>LOL No kidding.  :-) My initial thought was to alert *current* users of the
>potential problem, and advise them of steps they could take immediately.
>The code can be changed.  As it stands, logging is at a point where it is
>just echoing back the command entered
>    private boolean parseCommand(String commandRaw) {
>        if (commandRaw == null) return false;
>        getLogger().info("Command received: " + commandRaw);
>	...
>We haven't gotten to the code that does the parsing, so we don't yet know
>that the line IS a password.
Ahhh OK :-)

Well either way, the user community must believe that JAMES will never
journal/log passwords or they'll depart to other servers.

>I can move the log statement to after we parse out the verb.  FWIW, I also
>believe that this should be DEBUG, not INFO.
>Anyone object to these changes?

There is some wisdom that user ids should not be logged on failure of
auth, as they might have been transposed with passwords by a hapless
user.  Of course, if there are say 5 attempts with the same user id (and
failing) then it is evidence of hacking and thus should be logged.



To unsubscribe, e-mail:   <mailto:james-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:james-dev-help@jakarta.apache.org>

To unsubscribe, e-mail:   <mailto:james-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:james-dev-help@jakarta.apache.org>

View raw message