[Pan-users] Re: ANN: Pan 0.121 "Dortmunder"

[Duncan]

Robert Marshall
<address@hidden>
posted address@hidden,
excerpted below, on  Fri, 26 Jan 2007 13:22:31 +0000:

> On Mon, 22 Jan 2007, Charles Kerr wrote:
> 
>> January 22, 2007 - Pan 0.121: "Dortmunder"
> 
> I've just added a newsserver that requires authentication and I see that
> the password is stored in clear text (preferences.xml) in a file with world
> read access in a directory that has also open access.
> 
> I've removed read access from all but me but shouldn't this be the default?

Here, my umask is 0027, and servers.xml (preferences.xml doesn't contain
the password, as that wouldn't really make sense with multiple servers,
servers.xml contains it) has permissions of 0640 (-rw-r-----). World read
isn't a problem due to the umask, but group read should be considered one,
but it's observing the umask.

Still, plain text storage of the password in anything but a user-only
readable file isn't good.  Please file a bug on this, then post the link
or bug number here and I'll second it.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman