[ubuntu-mono] [Bug 207910] [NEW] Tomboy leaves passwords in log file
mannheim
kronheim at math.harvard.edu
Thu Mar 27 19:25:49 GMT 2008
Public bug reported:
Binary package hint: tomboy
Tomboy writes a log file at ~/.tomboy.log. If the user is using webdav
to synchronize notes to a server, then the log file contains the full
command-line for "wdfs", including the user's password. Although the
permissions on the file are -rw-r-----, this still seems like poor
security.
If tomboy is launched from the command-line, then the password also
appears in the terminal.
For clarification:
(1) tomboy does require that the password be stored in the user's
keyring, in such a way that it is unlocked at login. So anyone who has
access to the user's gnome desktop has access to the plaintext password
anyway (just open up "seahorse", and view the password). But still, the
user shouldn't expect the password to be written to disk.
(2) wdfs is (I think) not part of the ubuntu distribution yet, so this
functionality is not available in tomboy in a default install. Only
users who seek out wdfs are affected.
** Affects: tomboy (Ubuntu)
Importance: Undecided
Status: New
--
Tomboy leaves passwords in log file
https://bugs.launchpad.net/bugs/207910
You received this bug notification because you are a member of MOTU Mono
Team, which is subscribed to tomboy in ubuntu.
More information about the Ubuntu-mono
mailing list