[Users] [Bug 3099] Username and password stored in plain text
noreply at thewildbeast.co.uk
noreply at thewildbeast.co.uk
Tue Mar 11 12:46:29 CET 2014
http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3099
--- Comment #10 from Tomas Radej <tradej at redhat.com> ---
I have plenty of arguments. I just didn't feel like going on, but I can give
you a sample all right.
*) A program running under my UID might very well be malicious. Every year,
guys at #pwn2own find a couple of ways to hijack a browser. Let alone the JVM.
We've all been there. Presuming user apps are benign is just *plain wrong*.
This problem sort of can be worked out with SELinux, as you suggested, but read
on.
*) SELinux currently works only with some distros, and is a sort of a pain to
configure, at least in Debian, where I tried it. In a related problem, you need
a root password to do it. The user may not have it.
*) Your approach delegates security of your application to other applications,
and is, by default, opt-in. If you see nothing wrong with that, I can't really
argue with you, because we are not operating on the same level.
Are more arguments required?
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Users
mailing list