axyftp [LSARC/2008/271 Self Review]

Tue, 22 Apr 2008 11:13:08 -0700 (PDT) 

        Using the check list as the project definition seems to be lacking.
        Is there no documentation that describes what's being proposed?

        Manual Pages
             /usr/share/man/man1/axyftp.1

        Minimally I'd expect to find this in the case directory.

        Help Documentation
            /usr/share/doc/axyftp/help.html               
            /usr/share/doc/axyftp/intro.html
            /usr/share/doc/axyftp/axyftp.html
            /usr/share/doc/axyftp/main.html
            /usr/share/doc/axyftp/options.html
            /usr/share/doc/axyftp/panels.html
            /usr/share/doc/axyftp/problems.html
            /usr/share/doc/axyftp/session.html
            /usr/share/doc/axyftp/glossary.html
            /usr/share/doc/axyftp/doc.gif
            /usr/share/doc/axyftp/folder.gif
            /usr/share/doc/axyftp/link.gif
            /usr/share/doc/axyftp/up.gif
        Maximally I'd expect to find these in the case directory.

> >     3.4.3 Auditing
> >       (see http://opensolaris.org/os/community/arc/policies/audit-policy/ 
> > for details)
> >       (see http://opensolaris.org/os/community/arc/caselog/2003/397 for 
> > details)
> >       Does this component contain administrative or security enforcing 
> > software?
> >       [ ] Yes - ARC review required
> >       [X] No - continue to next section
> >       

> >     3.4.4 Authentication
> >       (see http://opensolaris.org/os/community/arc/policies/PAM/)
> >       Do the components contain any authentication code?
> >       [ ] Yes
> >       [X] No - continue to next section

> >     3.4.5 Passwords
> >       (see 
> > http://opensolaris.org/os/community/arc/bestpractices/passwords-cli/ and
> >            
> > http://opensolaris.org/os/community/arc/bestpractices/passwords-files/ for 
> > details)
> >       Do any of the components for the project deal with passwords?
> >       [X] Yes
> >       [ ] No - continue to next section
> >       
> >       If yes are these passwords entered via the CLI or environment?
> >       [ ] Yes - ARC review required
> >       [ ] No
> >       [X] GUI window, all entries shown as '*'.
> >       
> >       Are passwords stored within the file system for the component?
> >       [X] Yes
> >       [ ] No - continue to next section
> >       
> >       If yes are the permissions on the file such to protect exposing the 
> > password(s)?
> >       [X] Yes
> >       [ ] No - ARC review required
> >       

        Just to be clear, this is a FTP client, correct?  So what is it
        doing storing passwords?  Why shouldn't it be using a keychain?

Gary..

Reply via email to