Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 20127
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Florian Dittmer <florian.dittmer@pyogenesis.net>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 20127 depends on: Show dependency tree
Bug 20127 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2003-04-28 16:15 0000 
Vpopmail stores the passwords in clear text (in addition to the encrypted
passwd in 
the "vpasswd" files) because of the configure parameter
"--enable-clear-passwd=y" in 
the ebuild. 

Is there a special reason for this? Else I would suggest to set this to no by
default, for  
security reasons. 


Reproducible: Always
Steps to Reproduce:
1.
2.
3.

------- Comment #1 From Robin Johnson 2003-08-06 01:25:17 0000 ------- 
As a sysadmin that uses vpopmail, I'd like to point out that for the most part,
if your system has been hacked to the point that somebody gets to the cleartext
password, you have much larger problems.

Also, given that most IMAP implementations send passwords without any
encryption at all, let alone SSL, storing a secured copy of the cleartext is
actually a boon for the administrator.

Any qaulms as marking this 'WONTFIX' ?

------- Comment #2 From solar 2003-08-19 16:26:20 0000 ------- 
I would personally prefer to see it become optional so that we may please
(all|most|some|a few) of our users security concerns.

------- Comment #3 From John Mylchreest (RETIRED) 2003-09-25 08:24:29 0000 ------- 
anyone object to:

if [ -n "$(use crypt)" ] ; then
  myconf="${myconf} --enable-clear-passwd=n"
else
  myconf="${myconf} --enable-clear-passwd=y"
fi

------- Comment #4 From SpanKY 2003-09-25 09:40:11 0000 ------- 
i'd object ...
how about a local USE flag ...
IUSE="clearpasswd" ... that way the user knows exactly what they're getting
...

------- Comment #5 From Robin Johnson 2003-09-25 11:19:29 0000 ------- 
I agree with vapier.
A seperate USE flag would be best.

------- Comment #6 From solar 2003-09-25 17:03:22 0000 ------- 
Added support for local use flag "clearpasswd" vpopmail-5.2.1-r6 /
use.local.desc

Note:
This changes the default behavior to now not store cleartext by default.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug