On 1/9/07, Marcus Meissner
On Tue, Jan 09, 2007 at 04:24:48PM +0200, Mark Goldstein wrote:
BTW, it uses proxy user and password from /root/.curlrc. This file, though readable by root only, contains password in plain test. I think it's not a good idea. Anyone with an access to Linux machine can use another system (e.g. Knoppix, or Windows on dual boot machine) and read it, unless /root is stored on encrypted FS.
I actually asked the same question on Novell forum regarding the Red Carpet (about a year ago), since rug had also stored unencrypted proxy password in the plain file, but have not got reasonable answer.
If you can read those files than you have root access and break this system in any other imaginable way too.
Not necessarily. If I have physical access to it, I can insert CD with Knoppix, for example, and read this file without having root access to it. E.g. user have a profile for the office, so proxy user and password are these for her company proxy. If the laptop is stolen or lost, someone will be able to easily find these data. OK, I understand it's impossible to fully protect it. If someone wants better protection, he will need to store all such data on encrypted FS. But still storing these data in plain text sounds too "inviting". After all, user may even not know what files contain his/her/company sensitive data. Maybe it could be stored in kwallet or something like that (or at least suggest such option to the user when configuring the proxy)? -- Mark Goldstein -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org