John Fischer wrote: > LSARC, > > Unfortunately, I lost my phone service early on during > yesterday's open meeting. I was only able to dial in > during the last few minutes of the open discussion. I > had hoped to discuss the permissions issue during the > meeting. > > So how do others see the password permissions issue? > I am of the same opinion as you here. The password file should be guarded from casual reading.
A related question here is the key used for performing encryption, I was not able to locate in the materials how this is specified. Is this something specified at install time or is it something that ships with the product and if it is modifiable or not ? -Aniruddh > Thanks, > > John > > On Tue, 2008-11-11 at 09:50, John Fischer wrote: > >> Shura, >> >> This partially answers my question. The real problem is that >> eclipse creates the password file with 644 permissions and the >> directories with 755 permissions. In my opinion this is too >> permissive. It should create the file with 600 or 400 and >> the directories with 700. Let's discuss this with the rest >> of the committee in 10 minutes. >> >> Thanks, >> >> John >> >> On Tue, 2008-11-11 at 09:20, Alexandre (Shura) Iline wrote: >> >>> John, thanks for the explanation. >>> >>> All dirs Eclipse creates in and including ~/.eclipse has 755 permissions. >>> Password file is 644. >>> >>> If I change the permissions to 700 and 600, it is still able to work. >>> >>> Does it answer your question? >>> >>> Shura. >>> >>> On Tuesday 11 November 2008 20:00:37 John Fischer wrote: >>> >>>> Shura, >>>> >>>> Typically these types of directories have permissions of >>>> drwx------. Sometimes these directories will have permissions >>>> of drwxr-xr-x. Here are a couple of examples from my home >>>> directory: >>>> >>>> drwxr-xr-x 2 johnf staff 512 Mar 16 2005 .desktop/ >>>> drwxr-xr-x 2 johnf staff 512 May 22 2003 .dist/ >>>> drwxr-xr-x 15 johnf staff 512 Oct 8 09:20 .dt/ >>>> >>>> Now if there is sensitive data stored within the directories >>>> that have the group and other permissions with the read bit >>>> set we need to insure that the password file still has some >>>> level of protection. Typically these files are only owner >>>> readable (-rw------- (0600) or -r-------- (0400)). There are >>>> several programs on Solaris that when they notice that the >>>> permissions are not 0600 or 0400 will exit or not use the >>>> file. Does eclipse provide this level of protection for >>>> the password file it stores in the home directory? >>>> >>>> Thanks, >>>> >>>> John >>>> >>>> On Tue, 2008-11-11 at 00:31, Alexandre (Shura) Iline wrote: >>>> >>>>> On Monday 10 November 2008 19:13:31 John Fischer wrote: >>>>> >>>>>> Shura, >>>>>> >>>>>> What are the permissions of the directories and >>>>>> file secure_storage? Assuming that the directories >>>>>> and file permissions are supposed to be readable and >>>>>> writable by the owner only what happens if the >>>>>> permissions are otherwise? >>>>>> >>>>> I did not check this scenario. This is an unlikely one, though. >>>>> >>>>> Normally, ~/.* directories and files are configuration files for some >>>>> systems or programs, such as .bashrc, for instance. >>>>> >>>>> Is there a case when such files are not writeable? >>>>> >>>>> Shura. >>>>> >>>>> >>>>>> Thanks, >>>>>> >>>>>> John >>>>>> >>>>>> On Mon, 2008-11-10 at 05:56, Alexandre (Shura) Iline wrote: >>>>>> >>>>>>> Hi. >>>>>>> >>>>>>> Eclipse simply stores encrypted passwords into a file. >>>>>>> >>>>>>> The file is >>>>>>> ~/.eclipse/org.eclipse.equinox.security/secure_storage file. >>>>>>> >>>>>>> No security issue here as far as I can see. >>>>>>> >>>>>>> Shura. >>>>>>> >>> > > >
