[Mldonkey-bugs] [bug #11185] Passwords stored insecurely

[spiralvoice]

URL:
  <http://savannah.nongnu.org/bugs/?func=detailitem&item_id=11185>

                 Summary: Passwords stored insecurely
                 Project: mldonkey, a multi-networks file-sharing client
            Submitted by: None
            Submitted on: Mit 01.12.2004 um 16:58
                Category: Core
                Severity: 3 - Normal
              Item Group: Program malfunction
                  Status: None
             Assigned to: None
             Open/Closed: Open
                 Release: None
                 Release: 
        Platform Version: None
         Binaries Origin: None
                CPU type: None

    _______________________________________________________

Details:

mldonkey stores its access passwords in downloads.ini, which is typically
world-readable. Since the file is not overwritten but moved and recreated
every time it's saved, permissions will not be preserved; the only way to
protect password hashes is to make the whole working directory inaccessible
or to set the umask for the mldonkey process. Both of these are undesirable,
since users may want to allow others access to downloaded files, etc.
(Especially true if you run mlnet process under a uid separate from your own
uid!)

The solution is to use 0600 rather than 0666 as the file creation mode for
downloads.ini, or move the passwords to a separate file that's given
restricted permissions so that the other info in downloads.ini can be left
world-readable.



    _______________________________________________________

Carbon-Copy List:

CC Address                          | Comment
------------------------------------+-----------------------------
address@hidden              | 




    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?func=detailitem&item_id=11185>

_______________________________________________
  Nachricht geschickt von/durch Savannah
  http://savannah.nongnu.org/