-
Notifications
You must be signed in to change notification settings - Fork 238
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] Improve plain text password handling in code #4930
Comments
"A pivot by Intel in 2021 resulted in the deprecation of SGX from the 11th and 12th generation Intel Core Processors, but development continues on Intel Xeon for cloud and enterprise use." Feature is difficult to use. Taking into account limited set of platform that has hw support, benefits are very questionable. |
I don't find a way to set |
:config: New option 'core_dumpable' to manage 'PR_SET_DUMPABLE' flag of sssd_pam and sssd_be processes. Enabled by default. Resolves: SSSD#4930
:config: New option 'core_dumpable' to manage 'PR_SET_DUMPABLE' flag of sssd_pam and sssd_be processes. Enabled by default. Resolves: SSSD#4930
:config: New option 'core_dumpable' to manage 'PR_SET_DUMPABLE' flag of sssd_pam and sssd_be processes. Enabled by default. Resolves: SSSD#4930
:config: New option 'core_dumpable' to manage 'PR_SET_DUMPABLE' flag of sssd_pam and sssd_be processes. Enabled by default. Resolves: SSSD#4930
:config: New option 'core_dumpable' to manage 'PR_SET_DUMPABLE' flag of SSSD processes. Enabled by default. Resolves: SSSD#4930
:config: New option 'core_dumpable' to manage 'PR_SET_DUMPABLE' flag of SSSD processes. Enabled by default. Resolves: SSSD#4930
:config: New option 'core_dumpable' to manage 'PR_SET_DUMPABLE' flag of SSSD processes. Enabled by default. Resolves: SSSD#4930
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/3956
This is about:
https://labs.portcullis.co.uk/blog/an-offensive-introduction-to-active-directory-on-unix/
After some discussions i think we can make this better my using the following:
Use PR_SET_DUMPABLE for pages which have passwords etc, to ensure
that coredumps dont contain cleartext passwords.
Use SGX when available
https://en.wikipedia.org/wiki/Software_Guard_Extensions
Lastly and more importantly fedora has explicit_bzero which you
should use rather manually scrub memory. Please see
https://www.gnu.org/software/libc/manual/html_node/Erasing-Sensitive-Data.html
This is not optimized by the compiler.
Comments
Comment from atikhonov at 2019-11-19 15:24:22
Metadata Update from @atikhonov:
Comment from atikhonov at 2019-11-28 22:41:28
PR #948 partially addresses item (3)
Comment from pbrezina at 2019-11-29 11:23:38
Commit 0a6fdec5 relates to this ticket
Comment from pbrezina at 2019-11-29 11:23:38
Commit 109c21ef relates to this ticket
Comment from pbrezina at 2019-11-29 11:23:39
Commit ad1ae003 relates to this ticket
Comment from pbrezina at 2019-11-29 11:23:39
Commit 275e062b relates to this ticket
Comment from pbrezina at 2019-11-29 11:23:40
Commit 0165ef11 relates to this ticket
Comment from pbrezina at 2019-11-29 11:23:40
Commit f2245b53 relates to this ticket
Comment from pbrezina at 2019-11-29 11:27:20
master
Comment from pbrezina at 2020-03-13 14:48:10
Alexey, did the patches fix this ticket? If yes, please close it.
Comment from pbrezina at 2020-03-13 14:48:11
Metadata Update from @pbrezina:
Comment from atikhonov at 2020-03-13 15:34:45
No. Only item (3) is partially addressed. Another question if we want (1) and (2) to be done.
The text was updated successfully, but these errors were encountered: