Ticket #114 (assigned defect)

Opened 4 years ago

Last modified 4 years ago

IMAP server password stored in plain text on disk

Reported by: Ian Moor Assigned to: manni (accepted)
Priority: normal Milestone:
Component: IMAP Version: 1.1.0
Severity: normal Keywords: security
Cc:

Description

I am using v1.1.0 POPFile with IMAP on ubuntu linux, I recently edited the popfile.cfg file to change the imap_hostname and saw that my imap_password was stored in the file in plain text also that when the popfile.cfg is updated, it is written with my default umask.

Change History

(follow-up: ↓ 2 ) 08/15/09 12:53:39 changed by manni

  • status changed from new to assigned.
  • owner set to manni.
  • component changed from unknown to IMAP.

Do you have any suggestions as to how this should be addressed?

Of course, simply using a different umask would be a quick and easy fix. I just don't see how any kind of encryption of the password would be more than just cosmetic.

(in reply to: ↑ 1 ) 08/17/09 12:46:21 changed by Ian Moor

Replying to manni:

Do you have any suggestions as to how this should be addressed? Of course, simply using a different umask would be a quick and easy fix. I just don't see how any kind of encryption of the password would be more than just cosmetic.

Suggestion: Use the code from UI/HTML.pm : in start and url_handler to handle the html_password, to handle the imap_password in the same way.

08/17/09 17:49:04 changed by amatubu

Hi,

I am using v1.1.0 POPFile with IMAP on ubuntu linux,

Are you really using POPFile v1.1.0? If so, you can reset the permission by clicking 'Update' button in the right side of the Advanced tab.

The POPFile package for Ubuntu executes 'umask 0027' before running POPFile, so 'popfile.cfg' should be read only by 'popfile' user.

In my machine, the permission of 'popfile.cfg' is:

-rw-r----- 1 popfile popfile 2069 2009-08-18 00:39 /var/lib/popfile/popfile.cfg

Naoki