[Mldonkey-bugs] [bugs #11185] Passwords stored insecurely

[anonymous]

This mail is an automated notification from the bugs tracker
 of the project: mldonkey, a multi-networks file-sharing client.




/**************************************************************************/
[bugs #11185] Full Item Snapshot:

URL: <http://savannah.nongnu.org/bugs/?func=detailitem&item_id=11185>
Project: mldonkey, a multi-networks file-sharing client
Submitted by: 0
On: Wed 12/01/04 at 11:58

Category:  Core
Severity:  5 - Average
Item Group:  Program malfunction
Resolution:  None
Privacy:  Public
Assigned to:  None
Status:  Open
Release:  None
Release:  
Platform Version:  None
Binaries Origin:  None
CPU type:  None


Summary:  Passwords stored insecurely

Original Submission:  mldonkey stores its access passwords in downloads.ini, 
which is typically world-readable. Since the file is not overwritten but moved 
and recreated every time it's saved, permissions will not be preserved; the 
only way to protect password hashes is to make the whole working directory 
inaccessible or to set the umask for the mldonkey process. Both of these are 
undesirable, since users may want to allow others access to downloaded files, 
etc. (Especially true if you run mlnet process under a uid separate from your 
own uid!)

The solution is to use 0600 rather than 0666 as the file creation mode for 
downloads.ini, or move the passwords to a separate file that's given restricted 
permissions so that the other info in downloads.ini can be left world-readable.











For detailed info, follow this link:
<http://savannah.nongnu.org/bugs/?func=detailitem&item_id=11185>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/