james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noel J. Bergman" <n...@devtech.com>
Subject RE: Local security issue?
Date Fri, 07 Jun 2002 21:19:55 GMT

> Perhaps passwords should not be echoed to the log.

LOL No kidding.  :-) My initial thought was to alert *current* users of the
potential problem, and advise them of steps they could take immediately.

The code can be changed.  As it stands, logging is at a point where it is
just echoing back the command entered

    private boolean parseCommand(String commandRaw) {
        if (commandRaw == null) return false;
        getLogger().info("Command received: " + commandRaw);

We haven't gotten to the code that does the parsing, so we don't yet know
that the line IS a password.

I can move the log statement to after we parse out the verb.  FWIW, I also
believe that this should be DEBUG, not INFO.

Anyone object to these changes?

	--- Noel

-----Original Message-----
From: Paul Hammant [mailto:Paul_Hammant@yahoo.com]
Sent: Friday, June 07, 2002 16:53
To: James Developers List
Subject: Re: Local security issue?


Perhaps passwords shouldnot be echoed to the log. ***** instead ?


>Should we be warning admins that if the mail server has shell users or
>network file visibility, they need to be sure to lock down the directory
>containing the james logs, or at least the pop3server log?  The reason
>that all commands received are echoed to the log ... including the user's
>Alternatively, they could be told to change the logging level from DEBUG to
>	--- Noel
>To unsubscribe, e-mail:   <mailto:james-dev-unsubscribe@jakarta.apache.org>
>For additional commands, e-mail: <mailto:james-dev-help@jakarta.apache.org>

To unsubscribe, e-mail:   <mailto:james-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:james-dev-help@jakarta.apache.org>

To unsubscribe, e-mail:   <mailto:james-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:james-dev-help@jakarta.apache.org>

View raw message