[Security] Improve plain text password handling in code #4930
Assignees
Labels
Comments
"A pivot by Intel in 2021 resulted in the deprecation of SGX from the 11th and 12th generation Intel Core Processors, but development continues on Intel Xeon for cloud and enterprise use." Feature is difficult to use. Taking into account limited set of platform that has hw support, benefits are very questionable. |
I don't find a way to set |
alexey-tikhonov
added a commit
to alexey-tikhonov/sssd
that referenced
this issue
May 26, 2022
:config: New option 'core_dumpable' to manage 'PR_SET_DUMPABLE' flag of sssd_pam and sssd_be processes. Enabled by default. Resolves: SSSD#4930
alexey-tikhonov
added a commit
to alexey-tikhonov/sssd
that referenced
this issue
May 27, 2022
:config: New option 'core_dumpable' to manage 'PR_SET_DUMPABLE' flag of sssd_pam and sssd_be processes. Enabled by default. Resolves: SSSD#4930
alexey-tikhonov
added a commit
to alexey-tikhonov/sssd
that referenced
this issue
May 27, 2022
:config: New option 'core_dumpable' to manage 'PR_SET_DUMPABLE' flag of sssd_pam and sssd_be processes. Enabled by default. Resolves: SSSD#4930
alexey-tikhonov
added a commit
to alexey-tikhonov/sssd
that referenced
this issue
Jun 16, 2022
:config: New option 'core_dumpable' to manage 'PR_SET_DUMPABLE' flag of sssd_pam and sssd_be processes. Enabled by default. Resolves: SSSD#4930
alexey-tikhonov
added a commit
to alexey-tikhonov/sssd
that referenced
this issue
Jun 21, 2022
:config: New option 'core_dumpable' to manage 'PR_SET_DUMPABLE' flag of SSSD processes. Enabled by default. Resolves: SSSD#4930
alexey-tikhonov
added a commit
to alexey-tikhonov/sssd
that referenced
this issue
Jun 22, 2022
:config: New option 'core_dumpable' to manage 'PR_SET_DUMPABLE' flag of SSSD processes. Enabled by default. Resolves: SSSD#4930
alexey-tikhonov
added a commit
to alexey-tikhonov/sssd
that referenced
this issue
Jun 29, 2022
:config: New option 'core_dumpable' to manage 'PR_SET_DUMPABLE' flag of SSSD processes. Enabled by default. Resolves: SSSD#4930
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/3956
This is about:
https://labs.portcullis.co.uk/blog/an-offensive-introduction-to-active-directory-on-unix/
After some discussions i think we can make this better my using the following:
Use PR_SET_DUMPABLE for pages which have passwords etc, to ensure
that coredumps dont contain cleartext passwords.
Use SGX when available
https://en.wikipedia.org/wiki/Software_Guard_Extensions
Lastly and more importantly fedora has explicit_bzero which you
should use rather manually scrub memory. Please see
https://www.gnu.org/software/libc/manual/html_node/Erasing-Sensitive-Data.html
This is not optimized by the compiler.
Comments
Comment from atikhonov at 2019-11-19 15:24:22
Metadata Update from @atikhonov:
Comment from atikhonov at 2019-11-28 22:41:28
PR #948 partially addresses item (3)
Comment from pbrezina at 2019-11-29 11:23:38
Commit 0a6fdec5 relates to this ticket
Comment from pbrezina at 2019-11-29 11:23:38
Commit 109c21ef relates to this ticket
Comment from pbrezina at 2019-11-29 11:23:39
Commit ad1ae003 relates to this ticket
Comment from pbrezina at 2019-11-29 11:23:39
Commit 275e062b relates to this ticket
Comment from pbrezina at 2019-11-29 11:23:40
Commit 0165ef11 relates to this ticket
Comment from pbrezina at 2019-11-29 11:23:40
Commit f2245b53 relates to this ticket
Comment from pbrezina at 2019-11-29 11:27:20
masterComment from pbrezina at 2020-03-13 14:48:10
Alexey, did the patches fix this ticket? If yes, please close it.
Comment from pbrezina at 2020-03-13 14:48:11
Metadata Update from @pbrezina:
Comment from atikhonov at 2020-03-13 15:34:45
No. Only item (3) is partially addressed. Another question if we want (1) and (2) to be done.
The text was updated successfully, but these errors were encountered: