[Users] [Bug 3099] Username and password stored in plain text

noreply at thewildbeast.co.uk noreply at thewildbeast.co.uk
Tue Mar 11 12:46:29 CET 2014


--- Comment #10 from Tomas Radej <tradej at redhat.com> ---
I have plenty of arguments. I just didn't feel like going on, but I can give
you a sample all right.

*) A program running under my UID might very well be malicious. Every year,
guys at #pwn2own find a couple of ways to hijack a browser. Let alone the JVM.
We've all been there. Presuming user apps are benign is just *plain wrong*.
This problem sort of can be worked out with SELinux, as you suggested, but read

*) SELinux currently works only with some distros, and is a sort of a pain to
configure, at least in Debian, where I tried it. In a related problem, you need
a root password to do it. The user may not have it.

*) Your approach delegates security of your application to other applications,
and is, by default, opt-in. If you see nothing wrong with that, I can't really
argue with you, because we are not operating on the same level.

Are more arguments required?

You are receiving this mail because:
You are the assignee for the bug.

More information about the Users mailing list