[ubuntu-mono] [Bug 207910] Re: Tomboy leaves passwords in log file
Bug Watch Updater
207910 at bugs.launchpad.net
Thu Sep 16 03:51:00 BST 2010
** Changed in: tomboy
Importance: Unknown => Critical
--
Tomboy leaves passwords in log file
https://bugs.launchpad.net/bugs/207910
You received this bug notification because you are a member of Ubuntu
CLI/Mono Uploaders, which is subscribed to tomboy in ubuntu.
Status in Tomboy: Fix Released
Status in “tomboy” package in Ubuntu: Fix Released
Bug description:
Binary package hint: tomboy
Tomboy writes a log file at ~/.tomboy.log. If the user is using webdav to synchronize notes to a server, then the log file contains the full command-line for "wdfs", including the user's password. Although the permissions on the file are -rw-r-----, this still seems like poor security.
If tomboy is launched from the command-line, then the password also appears in the terminal.
For clarification:
(1) tomboy does require that the password be stored in the user's keyring, in such a way that it is unlocked at login. So anyone who has access to the user's gnome desktop has access to the plaintext password anyway (just open up "seahorse", and view the password). But still, the user shouldn't expect the password to be written to disk.
(2) wdfs is (I think) not part of the ubuntu distribution yet, so this functionality is not available in tomboy in a default install. Only users who seek out wdfs are affected.
More information about the Ubuntu-mono
mailing list