[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kmail-devel
Subject:    Re: Saving of passwords (Was: Security status)
From:       Stefan Taferner <taferner () salzburg ! co ! at>
Date:       2000-02-07 13:53:30
[Download RAW message or body]

On Mon, 07 Feb 2000, Waldo Bastian wrote:
> On Mon, 07 Feb 2000, George Staikos wrote:
[...]
> By pulling sensitive data out of the config file and into a seperate
> file it is easier to give this file the right permissions.

Maybe we should suggest to have a directory
~/.kde/secure  ?

I think there are other files also that should not be world readable.

> > > > We're just adding
> > > > more security through obscurity, really.
> > >
> > > Scrambling the password to make it "non-plaintext" falls in the
> > > category "security through obscurrity". Ensuring correct
> > > file-permissions on sensitive data is a sane way to build a secure
> > > system.
> >
> >    Correct and this should be on the homedirectory and the .kde
> > directory.
>
> Bullshit. Not everything in my home / .kde directory needs to be
> inaccesible just because a mail-program is too lazy to set correct
> file-permissions.

Did you discuss these things with others too?

There is a kcontrol module that sets things for email sending and
receiving. This is the first place where something shall be fixed.

Besides that I agree with what others said: if somebody does a
chmod -R a+r ~/.kde  then *all* the files will be readable. Your
suggestion with the separate file does not change anything.

The best way IMO is to use a real two way encryption algorithm
for the password file. Does anybody know a good and free one
that can be distributed all over the world?

--Stefan

[prev in list] [next in list] [prev in thread] [next in thread]