[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Mldonkey-bugs] [bugs #11185] Passwords stored insecurely
From: |
anonymous |
Subject: |
[Mldonkey-bugs] [bugs #11185] Passwords stored insecurely |
Date: |
Wed, 01 Dec 2004 12:04:11 -0500 |
User-agent: |
ELinks (0.9.CVS; GNU/Linux) |
This mail is an automated notification from the bugs tracker
of the project: mldonkey, a multi-networks file-sharing client.
/**************************************************************************/
[bugs #11185] Full Item Snapshot:
URL: <http://savannah.nongnu.org/bugs/?func=detailitem&item_id=11185>
Project: mldonkey, a multi-networks file-sharing client
Submitted by: 0
On: Wed 12/01/04 at 11:58
Category: Core
Severity: 5 - Average
Item Group: Program malfunction
Resolution: None
Privacy: Public
Assigned to: None
Status: Open
Release: None
Release:
Platform Version: None
Binaries Origin: None
CPU type: None
Summary: Passwords stored insecurely
Original Submission: mldonkey stores its access passwords in downloads.ini,
which is typically world-readable. Since the file is not overwritten but moved
and recreated every time it's saved, permissions will not be preserved; the
only way to protect password hashes is to make the whole working directory
inaccessible or to set the umask for the mldonkey process. Both of these are
undesirable, since users may want to allow others access to downloaded files,
etc. (Especially true if you run mlnet process under a uid separate from your
own uid!)
The solution is to use 0600 rather than 0666 as the file creation mode for
downloads.ini, or move the passwords to a separate file that's given restricted
permissions so that the other info in downloads.ini can be left world-readable.
For detailed info, follow this link:
<http://savannah.nongnu.org/bugs/?func=detailitem&item_id=11185>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Mldonkey-bugs] [bugs #11185] Passwords stored insecurely,
anonymous <=