Project

General

Profile

Bug #1448

quassel-client: core connection passsword stored in plan Ascii in chmod 644 file

Added by xypron about 7 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
12/18/2017
Due date:
% Done:

0%

Estimated time:
8.00 h
Version:
0.12.4
OS:
Linux

Description

Dear Maintainer,

the configuration of quassel client is stored in
~/.config/quassel-irc.org/quasselclient.conf
This file was created on my system as chmod 644. So it is world readable.

The configuration file is plain Ascii:

[CoreAccounts]
1\AccountId=1
1\AccountName=example
1\HostName=chat.example.com
1\Password=password
1\User=user

So the password can be picked up by anybody.

The configuration file should be created chmod 600.
The password should be stored in a wallet manager, e.g. KDEwallet.

Best regards

Heinrich Schuchardt

History

#1 Updated by phuzion over 3 years ago

  • Status changed from New to Resolved

I'm going to mark this issue as resolved.

I've tested that quasselclient.conf files are created as 0600 using both the Fedora packaged version of the client and with a version I built myself off of git HEAD.

If there are any other distros that package Quassel Client and their quasselclient.conf files have different permissions, I suspect that would be a packaging problem.

Also available in: Atom PDF