[jira] [Commented] (DIRSTUDIO-971) connections.xml should not be globally-readable
[ https://issues.apache.org/jira/browse/DIRSTUDIO-971?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13878838#comment-13878838 ] Pierre-Arnaud Marcelot commented on DIRSTUDIO-971: -- Indeed, see DIRSTUDIO-901. https://issues.apache.org/jira/browse/DIRSTUDIO-901 connections.xml should not be globally-readable --- Key: DIRSTUDIO-971 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-971 Project: Directory Studio Issue Type: Bug Components: studio-connection Affects Versions: 2.0.0-M8 (2.0.0.v20130628) Environment: Linux Reporter: Andrew Findlay Connection parameters are stored in the file connections.xml This can include bind DNs and passwords, which are stored in clear text. The file is globally-readable, exposing these passwords to great risk. Another bug notes that encrypted storage would be better, but please at least set the file mode so that it can only be read by its owner. The file is re-created every time a connection is edited, so changing the file mode by hand does not solve the problem. A possible workaround for Linux is: chmod 700 ~/.ApacheDirectoryStudio -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Commented] (DIRSTUDIO-971) connections.xml should not be globally-readable
[ https://issues.apache.org/jira/browse/DIRSTUDIO-971?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13877699#comment-13877699 ] Emmanuel Lecharny commented on DIRSTUDIO-971: - totally agree. connections.xml should not be globally-readable --- Key: DIRSTUDIO-971 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-971 Project: Directory Studio Issue Type: Bug Components: studio-connection Affects Versions: 2.0.0-M8 (2.0.0.v20130628) Environment: Linux Reporter: Andrew Findlay Connection parameters are stored in the file connections.xml This can include bind DNs and passwords, which are stored in clear text. The file is globally-readable, exposing these passwords to great risk. Another bug notes that encrypted storage would be better, but please at least set the file mode so that it can only be read by its owner. The file is re-created every time a connection is edited, so changing the file mode by hand does not solve the problem. A possible workaround for Linux is: chmod 700 ~/.ApacheDirectoryStudio -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Commented] (DIRSTUDIO-971) connections.xml should not be globally-readable
[ https://issues.apache.org/jira/browse/DIRSTUDIO-971?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13877704#comment-13877704 ] Kiran Ayyagari commented on DIRSTUDIO-971: -- Studio already offers a secure storage feature, but not enabled by default. connections.xml should not be globally-readable --- Key: DIRSTUDIO-971 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-971 Project: Directory Studio Issue Type: Bug Components: studio-connection Affects Versions: 2.0.0-M8 (2.0.0.v20130628) Environment: Linux Reporter: Andrew Findlay Connection parameters are stored in the file connections.xml This can include bind DNs and passwords, which are stored in clear text. The file is globally-readable, exposing these passwords to great risk. Another bug notes that encrypted storage would be better, but please at least set the file mode so that it can only be read by its owner. The file is re-created every time a connection is edited, so changing the file mode by hand does not solve the problem. A possible workaround for Linux is: chmod 700 ~/.ApacheDirectoryStudio -- This message was sent by Atlassian JIRA (v6.1.5#6160)
