URL:
<http://savannah.nongnu.org/bugs/?func=detailitem&item_id=11185>
Summary: Passwords stored insecurely
Project: mldonkey, a multi-networks file-sharing client
Submitted by: None
Submitted on: Mit 01.12.2004 um 16:58
Category: Core
Severity: 3 - Normal
Item Group: Program malfunction
Status: None
Assigned to: None
Open/Closed: Open
Release: None
Release:
Platform Version: None
Binaries Origin: None
CPU type: None
_______________________________________________________
Details:
mldonkey stores its access passwords in downloads.ini, which is typically
world-readable. Since the file is not overwritten but moved and recreated
every time it's saved, permissions will not be preserved; the only way to
protect password hashes is to make the whole working directory inaccessible
or to set the umask for the mldonkey process. Both of these are undesirable,
since users may want to allow others access to downloaded files, etc.
(Especially true if you run mlnet process under a uid separate from your own
uid!)
The solution is to use 0600 rather than 0666 as the file creation mode for
downloads.ini, or move the passwords to a separate file that's given
restricted permissions so that the other info in downloads.ini can be left
world-readable.
_______________________________________________________
Carbon-Copy List:
CC Address | Comment
------------------------------------+-----------------------------
[EMAIL PROTECTED] |
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?func=detailitem&item_id=11185>
_______________________________________________
Nachricht geschickt von/durch Savannah
http://savannah.nongnu.org/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
