On Sun, 26 Oct 2003 at 21:29 GMT, Wayne Topa penned: > Monique Y. Herman([EMAIL PROTECTED]) is reported to have said: >> >> Of course, your password will then be in plain-text in a file. If >> you are the only person with root access, this probably isn't a big >> deal until your box gets hacked, but this sort of thing always gives >> me the willies. > > You runs mutt as root? That would give me the wilies! I assumed that > no one would try that!
Did I imply that? I meant to say, anyone with root access could view your password. If you are the only person with root access, this probably doesn't matter. I don't run mutt as root, but how would that be any more dangerous than running, say, cat or vi as root? > > I, of course, meant the instructions as a suggeation for the users > .muttrc. If you run mutt as root I have no advice other then, don't. > > So what do you do about your /etc/ppp/pap-secrets file? It has the > same permissions as the your root .muttrc? Get hacked and it's just as > bad. Well, I don't use dialup, so it's not a problem. I assume pap-secrets has your dialup password or something in it? If so, and if you use a unique password for dialup, then I would think the worst that could happen is that they could use the dialup access that is legitemately yours. If your ISP bundles email and web hosting, that would be a problem, too. Having someone steal my bandwidth doesn't frighten me nearly as much as having someone read or destroy my mail. It's the age-old problem of security vs. convenience. I remember using a vpn client for work that insisted on putting its configuration file (including password) in /etc, and furthermore installed it world-readable by default. Fortunately, it still ran after you restricted its permissions ... Now, sure, I did restrict its permissions, and iirc we actually had access to the source, so I could have modified it to read the configuration from elsewhere ... but still, the default configuration was just bad, bad, bad. It would probably be more secure (assuming some kind of encryption) to enter your password every time you want to check mail, but most of us are willing to sacrifice some security to avoid having to type our passwords all the time. Even so, it's better to make a conscious choice *after understanding the implications* than to just blindly sally forth. -- monique Unless you need to share ultra-sensitive super-spy stuff with me, please don't email me directly. I will most likely see your post before I read your mail, anyway. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
