Bug#337830: Security problem in kphone
Ludovic Drolez
ldrolez at debian.org
Sat Feb 4 22:07:39 UTC 2006
Sven Dreyer wrote:
> Hi Ludovic,
>
> Ludovic Drolez schrieb:
>
>>I cannot reproduce your bug. With my settings kphonerc is created with 664
>>rights, since my umask is set to 002.
>>
>>I think that you have your umask set to 000. Which value returns 'umask ?'
>
>
> test at sven-desktop:~$ umask
> 0022
> test at sven-desktop:~$ ls -l .qt/kphonerc
> -rw-r--r-- 1 test test 130 2006-02-04 09:57 .qt/kphonerc
> test at sven-desktop:~$
>
> But that is the problem: kphonerc is world-_readable_ and it contains
> the username and password in clear text.
>
> Umask value should not be applied in this case, the permissions on
> kphonerc should always be 0600 since this file contains sensitive data.
>
Ok. I've added 'umask(077)' in kphone.cpp, near the start of
KPhone::KPhone(), and it does the trick.
Klaus, since I'm not a Qt expert, should I use the unix umask or is there a
Qt equivalent ?
Regards,
--
Ludovic Drolez.
http://www.palmopensource.com - The PalmOS Open Source Portal
http://www.drolez.com - Personal site - Linux and PalmOS stuff
-------------- next part --------------
--- kphone.cpp.orig 2005-06-21 13:14:49.000000000 +0200
+++ kphone.cpp 2006-02-04 22:49:19.000000000 +0100
@@ -1,5 +1,8 @@
#include <stdio.h>
#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
#include <qtimer.h>
#include <qsettings.h>
#include <qmenubar.h>
@@ -32,6 +35,8 @@
userPrefix = "_" + prefix + "_";
}
QSettings settings;
+
+ umask(077);
Sip::setLocalAddress( settings.readEntry(
"/kphone/dissipate_addr", Sip::getLocalAddress() ) );
QString socketStr = settings.readEntry( "/kphone/General/SocketMode", "UDP" );
More information about the Pkg-voip-maintainers
mailing list