[Pkg-kde-extras] Bug#806500: Bug#884652: quassel-client: connection password stored in plan Ascii in a chmod 644 file
Felix Geyer
fgeyer at debian.org
Mon Dec 18 20:08:46 UTC 2017
On Mon, 18 Dec 2017 18:04:19 +0100 Heinrich Schuchardt <xypron.glpk at gmx.de> wrote:
> Not encoding the password means that any user application can fetch it
> and send it to the internet even if ~/.config is chmod 700.
>
> Can anything be worse?
Well, that's the unfortunate state of security on the Linux desktop (and other major desktop OSes).
Largely there is no privilege separation between applications.
They all run in the same context so they can't really keep secrets from each other.
Technologies like Flatpak and Snappy are trying to solve this by sandboxing applications [0].
Felix
[0] https://github.com/flatpak/flatpak/wiki/Sandbox
More information about the pkg-kde-extras
mailing list