You have been subscribed to a public bug:
Binary package hint: tomboy
Tomboy writes a log file at ~/.tomboy.log. If the user is using webdav
to synchronize notes to a server, then the log file contains the full
command-line for "wdfs", including the user's password. Although the
permissions on the file are -rw-r-----, this still seems like poor
security.
If tomboy is launched from the command-line, then the password also
appears in the terminal.
For clarification:
(1) tomboy does require that the password be stored in the user's
keyring, in such a way that it is unlocked at login. So anyone who has
access to the user's gnome desktop has access to the plaintext password
anyway (just open up "seahorse", and view the password). But still, the
user shouldn't expect the password to be written to disk.
(2) wdfs is (I think) not part of the ubuntu distribution yet, so this
functionality is not available in tomboy in a default install. Only
users who seek out wdfs are affected.
** Affects: tomboy
Importance: Unknown
Status: Unknown
** Affects: tomboy (Ubuntu)
Importance: Low
Assignee: Ubuntu Desktop Bugs (desktop-bugs)
Status: Triaged
--
Tomboy leaves passwords in log file
https://bugs.edge.launchpad.net/bugs/207910
You received this bug notification because you are a member of Ubuntu Desktop
Bugs, which is a bug assignee.
--
desktop-bugs mailing list
desktop-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
