[prev in list] [next in list] [prev in thread] [next in thread]
List: kmail-devel
Subject: Re: Saving of passwords (Was: Security status)
From: Stefan Taferner <taferner () salzburg ! co ! at>
Date: 2000-02-07 13:53:30
[Download RAW message or body]
On Mon, 07 Feb 2000, Waldo Bastian wrote:
> On Mon, 07 Feb 2000, George Staikos wrote:
[...]
> By pulling sensitive data out of the config file and into a seperate
> file it is easier to give this file the right permissions.
Maybe we should suggest to have a directory
~/.kde/secure ?
I think there are other files also that should not be world readable.
> > > > We're just adding
> > > > more security through obscurity, really.
> > >
> > > Scrambling the password to make it "non-plaintext" falls in the
> > > category "security through obscurrity". Ensuring correct
> > > file-permissions on sensitive data is a sane way to build a secure
> > > system.
> >
> > Correct and this should be on the homedirectory and the .kde
> > directory.
>
> Bullshit. Not everything in my home / .kde directory needs to be
> inaccesible just because a mail-program is too lazy to set correct
> file-permissions.
Did you discuss these things with others too?
There is a kcontrol module that sets things for email sending and
receiving. This is the first place where something shall be fixed.
Besides that I agree with what others said: if somebody does a
chmod -R a+r ~/.kde then *all* the files will be readable. Your
suggestion with the separate file does not change anything.
The best way IMO is to use a real two way encryption algorithm
for the password file. Does anybody know a good and free one
that can be distributed all over the world?
--Stefan
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic