xauth: needs cookie handling warnings in man page

Michael Gilbert michael.s.gilbert at gmail.com
Mon Jul 25 15:13:07 PDT 2011


Alan Coopersmith wrote:

> On 07/22/11 20:18, Michael Gilbert wrote:
> > Hi,
> > 
> > Insecure xauth usage has lead to a few security bugs recently fixed in
> > Debian. Man page warnings may guide users/developers toward more secure
> > usages.  See attached patch for a possible solution.
> 
> Are you adding warnings to every man page for every program that users may
> pass secret data to on the command line?   

Certainly not, but when a systematic misuse occurs over and over again,
it indicates a problem worth contemplating.  This warning only really
helps attentive developers/users anyway, and most will simply ignore
these as seemingly pedantic anyway.  I would argue its worth it to help
the few are willing to be observant, rather than to leave everyone to
fend on their own.

> Seems like a huge task, and I'd
> hope there's a better way to educate script writers not to do that for any
> command, not just those with man page warnings.   (Though I can't actually
> think of one of the top of my head at the moment.)

Another option would be to present the warnings at runtime when the
insecure commands are issued, but that would probably be viewed as
overly intrusive.

Please cc me on replies.

Best wishes,
Mike


More information about the xorg-devel mailing list