On 12/18/2017 09:08 PM, Felix Geyer wrote:
On Mon, 18 Dec 2017 18:04:19 +0100 Heinrich Schuchardt <xypron.g...@gmx.de> 
wrote:
Not encoding the password means that any user application can fetch it
and send it to the internet even if ~/.config is chmod 700.

Can anything be worse?

Well, that's the unfortunate state of security on the Linux desktop (and other 
major desktop OSes).
Largely there is no privilege separation between applications.
They all run in the same context so they can't really keep secrets from each 
other.
Technologies like Flatpak and Snappy are trying to solve this by sandboxing 
applications [0].

Felix

[0] https://github.com/flatpak/flatpak/wiki/Sandbox

Storing the password in the KDE wallet manager would mean that the password could only be retrieved when the wallet is open.

This is not perfect security but better than having the password available at all times.

Best regards

Heinrich

_______________________________________________
pkg-kde-extras mailing list
pkg-kde-extras@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-extras

Reply via email to