directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Findlay (JIRA)" <j...@apache.org>
Subject [jira] [Created] (DIRSTUDIO-971) connections.xml should not be globally-readable
Date Tue, 21 Jan 2014 18:04:19 GMT
Andrew Findlay created DIRSTUDIO-971:
----------------------------------------

             Summary: connections.xml should not be globally-readable
                 Key: DIRSTUDIO-971
                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-971
             Project: Directory Studio
          Issue Type: Bug
          Components: studio-connection
    Affects Versions: 2.0.0-M8 (2.0.0.v20130628)
         Environment: Linux
            Reporter: Andrew Findlay


Connection parameters are stored in the file connections.xml
This can include bind DNs and passwords, which are stored in clear text.
The file is globally-readable, exposing these passwords to great risk.
Another bug notes that encrypted storage would be better, but please at least set the file
mode so that it can only be read by its owner.
The file is re-created every time a connection is edited, so changing the file mode by hand
does not solve the problem. A possible workaround for Linux is:
chmod 700 ~/.ApacheDirectoryStudio




--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message