Dňa Tuesday 16 September 2008 12:39:28 Dominique Leuenberger ste napísal:
On Tue, 2008-09-16 at 12:11 +0200, Michael Andres wrote:
On Tue, Sep 16, Jan Kupec wrote:
look at the file provided as ?credentials=/absolute/path/credfile
- the URL has to be saved with this parameter - Q: isn't revealing of the location of the credentials file a security issue?
I don't think so. Everybody knows that passwords are stored in /etc/passwd. This does not make it less secure.
Not completely true... in case of /etc/passwd (or /etc/shadow actually nowadays), the algo does not nescessarly need to be reversible to check the password hash (take MD5.. it's not reversible by mathematics). This works as the program (login) never actually needs to get the clear text password from the hash.
In 'our' case, zypper / libzypp will have to decrypt the passwords (in case they are encrypted) to be able to use them for login. The entire infrastructure to decrypt it is provided in the source files, so the security is not really granted in this case.
But 'revealing the location' is probably the smallest issue here... everybody knows they would be found in /etc/zypp/credentials.d
The only way to prevent password stealing is not having the file world readable. A Deamon accessing it, probably controlled via PolicyKit would be the solution IMHO.
Nope - you want to keep required the update stack dependencies to minimum. Yes, it might be nice as add-on way to access the information, but not as the only way. Stano -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org