ADSM-L

Re: Clear text passwords. Was: Automating dsmserv

2003-05-27 16:22:20
Subject: Re: Clear text passwords. Was: Automating dsmserv
From: Thomas Denier <Thomas.Denier AT MAIL.TJU DOT EDU>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Tue, 27 May 2003 16:21:59 -0400
> one solution:
>
> We created an admin account (ex. QUERY), that is granted no authority.
> Which means it can do queries, but can't change anything.
> For scripts that just do queries, we use that admin id and don't sweat
> whether it's hackable.
> Now in theory somebody could find out the password and SUBMIT A BIG QUERY
> that ties up your server,
> but really, so what....  not in my list of Worst Things to Worry About.

There is another potential issue with this approach. A user with no
authority can run query or select commands that report client file
names. One can readily imagine scenarios in which this capability
raises serious privacy concerns.