amule.conf may contains passwords: should not be world-readable
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
amule (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: amule
How to reproduce :
Install amule pkg, create amule user, add it to /etc/default/amule.
sudo service amule-daemon start
The first launch will create files in ~/.aMule (rwxr-xr-x) - including a amule.conf file, which is created as rw-r--r--
The only way to interact with the amule daemon is to enable remote access and add a password in the "Password" or "ECPAssword" field. Password have to be MD5-encrypted, but it's still a vulnerability. At least this file should be 640.
ProblemType: Bug
Architecture: i386
Date: Mon Dec 7 10:36:31 2009
DistroRelease: Ubuntu 9.10
Package: amule-daemon 2.2.6-0ubuntu1
ProcEnviron:
LANGUAGE=fr_FR:fr
PATH=(custom, user)
LANG=fr_FR.UTF-8
SHELL=/bin/bash
ProcVersionSign
SourcePackage: amule
Uname: Linux 2.6.31-15-generic i686
XsessionErrors: (polkit-
Changed in amule (Ubuntu): | |
status: | New → Confirmed |
visibility: | private → public |
Thank you for taking the time to report this bug and helping to make Ubuntu better. We are sorry that we do not always have the capacity to look at all reported bugs in a timely manner. There have been many changes in Ubuntu since that time you reported the bug and your problem may have been fixed with some of the updates. It would help us a lot if you could test it on a currently supported Ubuntu version. When you test it and it is still an issue, kindly upload the updated logs by running apport-collect 493554 and any other logs that are relevant for this particular issue.