Opened 14 years ago
Last modified 14 years ago
#114 assigned defect
IMAP server password stored in plain text on disk
| Reported by: | Ian Moor | Owned by: | Manni Heumann |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | IMAP | Version: | 1.1.0 |
| Severity: | normal | Keywords: | security |
| Cc: |
Description
I am using v1.1.0 POPFile with IMAP on ubuntu linux, I recently edited the popfile.cfg file to change the imap_hostname and saw that my imap_password was stored in the file in plain text also that when the popfile.cfg is updated, it is written with my default umask.
Change History (3)
follow-up: 2 comment:1 by , 14 years ago
| Component: | unknown → IMAP |
|---|---|
| Owner: | set to |
| Status: | new → assigned |
comment:2 by , 14 years ago
Replying to manni:
Do you have any suggestions as to how this should be addressed?
Of course, simply using a different umask would be a quick and easy fix. I just don't see how any kind of encryption of the password would be more than just cosmetic.
Suggestion: Use the code from UI/HTML.pm : in start and url_handler to handle the html_password, to handle the imap_password in the same way.
comment:3 by , 14 years ago
Hi,
I am using v1.1.0 POPFile with IMAP on ubuntu linux,
Are you really using POPFile v1.1.0? If so, you can reset the permission by clicking 'Update' button in the right side of the Advanced tab.
The POPFile package for Ubuntu executes 'umask 0027' before running POPFile, so 'popfile.cfg' should be read only by 'popfile' user.
In my machine, the permission of 'popfile.cfg' is:
-rw-r----- 1 popfile popfile 2069 2009-08-18 00:39 /var/lib/popfile/popfile.cfg
Naoki
Do you have any suggestions as to how this should be addressed?
Of course, simply using a different umask would be a quick and easy fix. I just don't see how any kind of encryption of the password would be more than just cosmetic.