Bug 179832
Summary: | mail-notification saves passwords in clear text with read access for everybody | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Terje Rosten <terje.rosten> |
Component: | mail-notification | Assignee: | Thorsten Leemhuis <fedora> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4 | CC: | dennis, extras-qa |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-07-02 09:54:40 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Terje Rosten
2006-02-03 09:36:13 UTC
(In reply to comment #0) > however, passwords are saved unhashed in clear text That's the case for fetchmail too, iirc > and on top of that > file access permissions on the file is wide open: 0644. Yeah, that's a problem. Upstream is working on a fix. > If this issue is not going to be fixed, mail-notification should be removed > from Fedora Extras. No, I don't think that this is so important. It wouldn't change much btw -- most people already have installed it and removing it from the repo doesn't help them. (In reply to comment #1) > (In reply to comment #0) > > however, passwords are saved unhashed in clear text > That's the case for fetchmail too, iirc yes but that doesn't make it right > > and on top of that > > file access permissions on the file is wide open: 0644. > Yeah, that's a problem. Upstream is working on a fix. > > > If this issue is not going to be fixed, mail-notification should be removed > > from Fedora Extras. > No, I don't think that this is so important. It wouldn't change much btw -- most > people already have installed it and removing it from the repo doesn't help them. I don't think its the hugest deal in the world. mostly because the files are in a home dir default perms only allow the user access to that part of the tree. its exploitable by you getting up and walking away from your computer and someone coming and sitting down. It requires local access. but yes it needs fixed. It shouldn't be to hard to change the perms that are set. Please look at this. mail-notification seems like an excellent place to deploy GNOME Keyring. Unfortunately, the main upstream developer feels that "the gnome-keyring paradigm (passwords are worthy of encryption and everything else is not) is obviously flawed" and therefore he does not intend to support it: <http://savannah.nongnu.org/bugs/?18893>. By the way, Gmail passwords do go into GNOME Keyring. But that's actually gnomevfs's doing, not anything that mail-notification is doing. |