Description of problem: There is security problem with mail-notification: the program saves data about mail accounts in the file ~/.gnome2/mail-notification/mailboxes.xml however, passwords are saved unhashed in clear text and on top of that file access permissions on the file is wide open: 0644. Version-Release number of selected component (if applicable): mail-notification-2.0-2.fc4 How reproducible: o Start mail-notification with the "display the main window" option: $ mail-notification -m o Choose Preferences and then Mailboxes o Add a account o Have a look in the file ~/.gnome2/mail-notification/mailboxes.xml Additional info: If this issue is not going to be fixed, mail-notification should be removed from Fedora Extras.
(In reply to comment #0) > however, passwords are saved unhashed in clear text That's the case for fetchmail too, iirc > and on top of that > file access permissions on the file is wide open: 0644. Yeah, that's a problem. Upstream is working on a fix. > If this issue is not going to be fixed, mail-notification should be removed > from Fedora Extras. No, I don't think that this is so important. It wouldn't change much btw -- most people already have installed it and removing it from the repo doesn't help them.
(In reply to comment #1) > (In reply to comment #0) > > however, passwords are saved unhashed in clear text > That's the case for fetchmail too, iirc yes but that doesn't make it right > > and on top of that > > file access permissions on the file is wide open: 0644. > Yeah, that's a problem. Upstream is working on a fix. > > > If this issue is not going to be fixed, mail-notification should be removed > > from Fedora Extras. > No, I don't think that this is so important. It wouldn't change much btw -- most > people already have installed it and removing it from the repo doesn't help them. I don't think its the hugest deal in the world. mostly because the files are in a home dir default perms only allow the user access to that part of the tree. its exploitable by you getting up and walking away from your computer and someone coming and sitting down. It requires local access. but yes it needs fixed. It shouldn't be to hard to change the perms that are set.
Please look at this.
mail-notification seems like an excellent place to deploy GNOME Keyring. Unfortunately, the main upstream developer feels that "the gnome-keyring paradigm (passwords are worthy of encryption and everything else is not) is obviously flawed" and therefore he does not intend to support it: <http://savannah.nongnu.org/bugs/?18893>. By the way, Gmail passwords do go into GNOME Keyring. But that's actually gnomevfs's doing, not anything that mail-notification is doing.