Ricky Zhou wrote: > I don't think just showing code/non-sensitive debugging information is a > huge security problem. Consider that the code for the accounts system > is publicly viewable in CVS anyway (hooray for openness): > http://cvs.fedoraproject.org/viewcvs/fedora-accounts/?root=fedora. Having the code publically available is one matter. However, the error showed the following security-related items in any case: * Python is being used (Risk: a hacker won't try Perl, Ruby, or shell code...) * Python v2.4.3 is being used (Risk: no need to guess at which cracks will work...) * PostgreSQL is being used (Risk: no need to try mySQL hacks....) * Directory tree: /srv/web/accounts/ (Risk: no need to search out location of code...) Certainly, having the code being open is a risk but a calculated one which is offset by the benefits. In security, this is known as an "information leak." The best thing to do is *hide* all of this information (which also leads to nicer "error" pages for the user - no tech info, just a "sorry, nasty error: reported to sysadmin, thanks." or some such. -- UNIX System Administrator Linux+, SCSA, RHCE, LPIC-1 HP-UX, Linux, Solaris, FreeBSD Books: "Advanced System Administration" and "GNU Screen: A Comprehensive Introduction" http://www.lulu.com/ssrat
