'Re: Saving of passwords (Was: Security status)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kmail-devel
Subject:    Re: Saving of passwords (Was: Security status)
From:       George Staikos <staikos () 0wned ! org>
Date:       2000-02-07 13:32:47
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----

On Mon, 07 Feb 2000, Waldo Bastian wrote:

> > > That is no reason to create additional security weaknesses.
> >
> >   We aren't creating an additional security weakness though.  I don't
> > see it being any more or less secure by putting it in a different
> > file.  Just more of a pain.
> 
> By pulling sensitive data out of the config file and into a seperate 
> file it is easier to give this file the right permissions.

   Yes it's easier to set the permissions just on the password and not on the
rest of the config information.  I think it's still a pain.  The .kde dir is
already so large.  We're just making it larger.  Plus now we have to files to
move around from machine to machine for those of us who do such things.

> > > > We're just adding
> > > > more security through obscurity, really.
> > >
> > > Scrambling the password to make it "non-plaintext" falls in the
> > > category "security through obscurrity". Ensuring correct
> > > file-permissions on sensitive data is a sane way to build a secure
> > > system.
> >
> >    Correct and this should be on the homedirectory and the .kde
> > directory.
> 
> Bullshit. Not everything in my home / .kde directory needs to be 
> inaccesible just because a mail-program is too lazy to set correct 
> file-permissions.

  The mail program should set the proper file permissions.  This still isn't
a reason to have 2 files for the config data.

> That's like setting /etc to 0700 because you don't want to set 
> /etc/shadow to 0600. 

  /etc is a system directory and needs to be accessible by everyone.  ~ is
not.

- -- 

George Staikos 


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQEVAwUBOJ7SAvaardfOEhQRAQFakwf/bhFSE2To7+mfMKU2V0xCq/A+2ixqOs0m
HMZW/e74Musm2xC2ctSfVY4Yl9kosbUeU3RVXLwxzy8Rs/PWT2msZ6xBvofk5oLR
QeT3tV0yGWtAPDtSS1dqvCz7STTQTnAJzA+6pIcgdb7OCLzxfhupkzlEtToj2nlX
5fAUJYFydaAa5rVV+6skdUtA/N4m++YWbBw4pNj/WnlkAIuQWcpFZiPi8MhipVco
qa5ZmmQQrGXC++aCemekl7IvqPtJDW8eeAIjYIfAyfHz9fbHNXDowvmSoYzaCP0+
X4wTRf2zylRp6OZmtqjK248V4nJK70KMu+aU/1UWRSPQUeZL8jTBcQ==
=UNTf
-----END PGP SIGNATURE-----

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic