Bug#361913: linphone: patch for passwords stored world-readable
Hello, Thanks a lot for the patch. It is merged in CVS. Simon Le Lundi 15 Mai 2006 00:41, Alec Berryman a écrit : Package: linphone Version: 1.3.3-1 Followup-For: Bug #361913 Linphone also stores passwords in ~/.linphonerc. That file may have been created group- or world-accessible because it was created with fopen(), which uses the user's umask. See coreapi/lpconfig.c:211. Both frontends use functions in coreapi/lpconfig.c to store configuration information, and do not implement separate read/parse/write functions. Per console/linphonec.c:739, linphone appears to be migrating to use ~/.linphonerc for both the console and GNOME client, so any discussion of ~/.gnome2_private vs gconf is probably moot. Encrypting saved passwords is also not a good option; see http://gaim.sourceforge.net/plaintextpasswords.php for more information. The GNOME client does not appear to be using ~/.linphonerc as of 1.3.3-1; in gnome/linphone.c:344, the configuration file name is still ~/.gnome2/linphone. I believe that the attached dpatch corrects the issue of world-readable passwords. When the configuration file is to be written, the user's umask is overridden so that the file will not be created group- or world-accessible. Additionally, when parsing the configuration file on startup, it will forcibly set permissions to 600. This may be too heavy-handed and it might be more appropriate to stat() and possibly emit a g_warning() to the user, but I thought it was better to require no user intervention. The patch applies and compiles correctly (when docs are removed from the build; see #365523). I have tested the GNOME frontend, and ~/.gnome2/linphone is created correctly and is properly updated when it already exists. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/dash Kernel: Linux 2.6.16-alec-laptop Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages linphone depends on: ii libart-2.0-2 2.3.17-1 Library of functions for 2D graphi ii libatk1.0-01.11.4-2 The ATK accessibility toolkit ii libbonobo2-0 2.14.0-1 Bonobo CORBA interfaces library ii libbonoboui2-0 2.14.0-2 The Bonobo UI library ii libc6 2.3.6-7 GNU C Library: Shared libraries ii libcairo2 1.0.4-2 The Cairo 2D vector graphics libra ii libfontconfig1 2.3.2-5.1 generic font configuration library ii libgconf2-42.14.0-1 GNOME configuration database syste ii libglib2.0-0 2.10.2-2 The GLib library of C routines ii libgnome-keyring0 0.4.9-1 GNOME keyring services library ii libgnome2-02.14.1-2 The GNOME 2 library - runtime file ii libgnomecanvas2-0 2.14.0-2 A powerful object-oriented display ii libgnomeui-0 2.14.1-1 The GNOME 2 libraries (User Interf ii libgnomevfs2-0 2.14.1-2 GNOME virtual file-system (runtime ii libgtk2.0-0 2.8.17-2 The GTK+ graphical user interface ii libice6 1:1.0.0-3 X11 Inter-Client Exchange library ii liblinphone1 1.3.3-1 linphone web phone's library (supp ii liborbit2 1:2.14.0-1libraries for ORBit2 - a CORBA ORB ii libosip2-3 2.2.2-3 Session Initiation Protocol (SIP) ii libpanel-applet2-0 2.14.1-1 library for GNOME 2 panel applets ii libpango1.0-0 1.12.1-3 Layout and rendering of internatio ii libpopt0 1.7-5 lib for parsing cmdline parameters ii libsm6 1:1.0.0-4 X11 Session Management library ii libx11-6 2:1.0.0-6 X11 client-side library ii libxcursor11.1.5.2-5 X cursor management library ii libxext6 1:1.0.0-4 X11 miscellaneous extension librar ii libxi6 1:1.0.0-5 X11 Input extension library ii libxinerama1 1:1.0.1-4 X11 Xinerama extension library ii libxml22.6.24.dfsg-1 GNOME XML library ii libxrandr2 2:1.1.0.2-4 X11 RandR extension library ii libxrender11:0.9.0.2-4 X Rendering Extension client libra ii linphone-nox 1.3.3-1 web phone ii zlib1g 1:1.2.3-11compression library - runtime linphone recommends no packages. -- no debconf information
Bug#361913: linphone: patch for passwords stored world-readable
Hi, Alec Berryman wrote: I believe that the attached dpatch corrects the issue of world-readable passwords. Your patch looks nice to me. Thanks a lot. I'll try to integrate it soon in the Debian package and solve the other RC with the doc. Cheers, Samuel. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#361913: linphone: patch for passwords stored world-readable
Package: linphone Version: 1.3.3-1 Followup-For: Bug #361913 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Linphone also stores passwords in ~/.linphonerc. That file may have been created group- or world-accessible because it was created with fopen(), which uses the user's umask. See coreapi/lpconfig.c:211. Both frontends use functions in coreapi/lpconfig.c to store configuration information, and do not implement separate read/parse/write functions. Per console/linphonec.c:739, linphone appears to be migrating to use ~/.linphonerc for both the console and GNOME client, so any discussion of ~/.gnome2_private vs gconf is probably moot. Encrypting saved passwords is also not a good option; see http://gaim.sourceforge.net/plaintextpasswords.php for more information. The GNOME client does not appear to be using ~/.linphonerc as of 1.3.3-1; in gnome/linphone.c:344, the configuration file name is still ~/.gnome2/linphone. I believe that the attached dpatch corrects the issue of world-readable passwords. When the configuration file is to be written, the user's umask is overridden so that the file will not be created group- or world-accessible. Additionally, when parsing the configuration file on startup, it will forcibly set permissions to 600. This may be too heavy-handed and it might be more appropriate to stat() and possibly emit a g_warning() to the user, but I thought it was better to require no user intervention. The patch applies and compiles correctly (when docs are removed from the build; see #365523). I have tested the GNOME frontend, and ~/.gnome2/linphone is created correctly and is properly updated when it already exists. - -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/dash Kernel: Linux 2.6.16-alec-laptop Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages linphone depends on: ii libart-2.0-2 2.3.17-1 Library of functions for 2D graphi ii libatk1.0-01.11.4-2 The ATK accessibility toolkit ii libbonobo2-0 2.14.0-1 Bonobo CORBA interfaces library ii libbonoboui2-0 2.14.0-2 The Bonobo UI library ii libc6 2.3.6-7 GNU C Library: Shared libraries ii libcairo2 1.0.4-2 The Cairo 2D vector graphics libra ii libfontconfig1 2.3.2-5.1 generic font configuration library ii libgconf2-42.14.0-1 GNOME configuration database syste ii libglib2.0-0 2.10.2-2 The GLib library of C routines ii libgnome-keyring0 0.4.9-1 GNOME keyring services library ii libgnome2-02.14.1-2 The GNOME 2 library - runtime file ii libgnomecanvas2-0 2.14.0-2 A powerful object-oriented display ii libgnomeui-0 2.14.1-1 The GNOME 2 libraries (User Interf ii libgnomevfs2-0 2.14.1-2 GNOME virtual file-system (runtime ii libgtk2.0-02.8.17-2 The GTK+ graphical user interface ii libice61:1.0.0-3 X11 Inter-Client Exchange library ii liblinphone1 1.3.3-1 linphone web phone's library (supp ii liborbit2 1:2.14.0-1libraries for ORBit2 - a CORBA ORB ii libosip2-3 2.2.2-3 Session Initiation Protocol (SIP) ii libpanel-applet2-0 2.14.1-1 library for GNOME 2 panel applets ii libpango1.0-0 1.12.1-3 Layout and rendering of internatio ii libpopt0 1.7-5 lib for parsing cmdline parameters ii libsm6 1:1.0.0-4 X11 Session Management library ii libx11-6 2:1.0.0-6 X11 client-side library ii libxcursor11.1.5.2-5 X cursor management library ii libxext6 1:1.0.0-4 X11 miscellaneous extension librar ii libxi6 1:1.0.0-5 X11 Input extension library ii libxinerama1 1:1.0.1-4 X11 Xinerama extension library ii libxml22.6.24.dfsg-1 GNOME XML library ii libxrandr2 2:1.1.0.2-4 X11 RandR extension library ii libxrender11:0.9.0.2-4 X Rendering Extension client libra ii linphone-nox 1.3.3-1 web phone ii zlib1g 1:1.2.3-11compression library - runtime linphone recommends no packages. - -- no debconf information -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEZ7IgAud/2YgchcQRAmAVAJ4xNuE1gHYCpyfTVkNnAivhD+3OKQCg6Z4K lFd/uzLidkRUDOf5WlD+ML8= =1is/ -END PGP SIGNATURE- 361913_world_readable_passwords.dpatch Description: application/shellscript