#806500 quassel-client: Client configuration is world readable and contains password in plain text #806500
- Package:
- quassel-client
- Source:
- quassel
- Description:
- distributed IRC client - client component
- Submitter:
- Diederik de Haas
- Date:
- 2022-06-16 11:15:03 UTC
- Severity:
- wishlist
- Tags:
As I was trying to setup CertFP I had a look at ~/.config/quassel-irc.org and noticed the following: -rw-r--r-- 1 diederik diederik 8101 nov 28 03:01 quasselclient.conf Looking into that file I could easily see my password and that combined with the security settings of that file did not make me happy.
Hi, This is a wrong assumption, just look at directory access permissions: $ LC_ALL=C ls -alp ~/.config/ | grep '\./' drwx------ 96 user user 4096 Nov 28 23:44 ./ drwx------ 192 user user 12288 Nov 28 22:39 ../ Best wishes, Boris
Mine are not the same: diederik@bagend:~$ LC_ALL=C ls -alp ~/.config/ | grep '\./' drwxr-xr-x 45 diederik diederik 4096 Nov 28 19:29 ./ drwxr-x--- 68 diederik diederik 12288 Nov 28 17:59 ../ diederik@bagend:~$ ls -ld ~/.config/ drwxr-xr-x 45 diederik diederik 4096 nov 28 19:29 /home/diederik/.config/ diederik@bagend:~$ ls -ld ~/.config/quassel-irc.org/ drwxr-xr-x 2 diederik diederik 4096 nov 28 11:10 /home/diederik/.config/quassel-irc.org/
This should be enough I think: $ LC_ALL=C su another-user -c 'ls -alp /home/diederik/.config' Password: ls: cannot access /home/diederik/.config: Permission denied Best wishes, Boris
diederik@bagend:~$ LC_ALL=C su quassel-test -c 'ls -alp /home/diederik/.config' Password: ls: cannot access /home/diederik/.config: Permission denied Sorry for the noise.
Not encoding the password means that any user application can fetch it and send it to the internet even if ~/.config is chmod 700. Can anything be worse? Best regards Henrich
Well, that's the unfortunate state of security on the Linux desktop (and other major desktop OSes). Largely there is no privilege separation between applications. They all run in the same context so they can't really keep secrets from each other. Technologies like Flatpak and Snappy are trying to solve this by sandboxing applications [0]. Felix [0] https://github.com/flatpak/flatpak/wiki/Sandbox
That is true. Even though the file is protected by the security of ~/.config, I see no reason why the file itself isn't 600 or 660. But the real problem is that the password is stored in plaintext and I find that inexcusable.
Storing the password in the KDE wallet manager would mean that the password could only be retrieved when the wallet is open. This is not perfect security but better than having the password available at all times. Best regards Heinrich
Problem with that is that it creates a dependency on KDE, while quassel only needs QT
Another option would be to GPG encrypt the password and ask for the GPK private key password when the application is opened. Essentially that is what Kwallet does internally. Best regards Heinrich
Hallo Geliebte, Ich möchte privat mit Ihnen sprechen, bitte kommen Sie zu mir zurück Vielen Dank Michelle
Control: tag -1 upstream fixed-upstream According to that upstream bug, the issue has been fixed. I did take a look at https://github.com/quassel/quassel/commits/master but there wasn't a specific commit (message) that jumped out at me for being the fix. The permissions on my config file are still 0644, but I don't know if a new upstream version should fix it or the Debian package or that I should do it myself. Anyway, according to upstream it should be fixed :-) Cheers, Diederik
Version: 1:0.13.0-1 https://github.com/quassel/quassel/commit/27df512ce272d88cf85b854f6bfb3f1c7ba4a65c So closing it with that version.