On Tue, 6 Feb 2007, Steve Hubert wrote:
PASSFILE stores the password in an insecure way in a file. If anybody
can read that file they can get the password. So PASSFILE doesn't seem
like a very good idea except in very special circumstances.
But if PASSFILE is mode 0600 then it's not actually insecure, right (*)?
I ask because someone just filed a bug against Debian alpine requesting
exactly this functionality:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=410976 .
If the package specified "~/.alpine-passwd" as suggested in the
bug report, would it correctly dispatch to the current user's $HOME? If
so, why not require it to be mode 0600 or stricter and just let the user
have what he wants?
-- Asheesh.
*. At least so long as the user is in control of what programs he runs, so
rogue programs running as the user don't read that file. But if the user
is not in control, then rogue programs could just attach debuggers and
grab passwords that way anyway, so I think this is a reasonable
assumption.
--
You will be misunderstood by everyone.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
