Ubuntu
openchange package

no way to interactively input the password

Bug #574245 reported by Maxim Kirillov on 2010-05-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	openchange (Ubuntu)	New	Undecided	Unassigned

Bug Description

This is a feature request rather than a bug, I don't see a place where to put the priority.

Release: ubuntu karmic
Package: openchangeclient
Version: 1:0.8.2+svn1423-1ubuntu1

openchangeclient is really brilliant software, I expect it to let me use my favourite MUA for emails. But I cannot found how to make it ask the password interactively. Currently I could found only 2 ways for passing the password:

1. put it in the database. This is obviously bad for security
2. pass it in commandline argument. This is bad too, because the commandline is accessible for all processes at the same host, and I have to make special care for not storing this command in history.

Please implement interactive request for the password.

ProblemType: Bug
Architecture: i386
Date: Mon May 3 10:14:24 2010
DistroRelease: Ubuntu 9.10
Package: openchangeclient 1:0.8.2+svn1423-1ubuntu1
ProcEnviron:
PATH=(custom, user)
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-19.56-generic
SourcePackage: openchange
Uname: Linux 2.6.31-19-generic i686

Tags:

Revision history for this message

Maxim Kirillov (max630) wrote on 2010-05-03:

Dependencies.txt Edit (930 bytes, text/plain; charset="utf-8")

Revision history for this message

Brad Hards (bradh) wrote on 2010-05-03:

Is it really bad in the database? If you are the only person that can read the database file, then there is no issue, right?

Revision history for this message

Maxim Kirillov (max630) wrote on 2010-05-03:

I cannot be the only person who can read the file, because the file is physically at disk, and can be read in quite a number of ways.

Note that this is not only a matter of personal paranoia. Passwords for such protocol can be used for accessing not only email account but also other resources in a large network. And sometimes people who run the network are not enthusiastic at all about storing the password in client computers.

One possible solution for it is to encrypt the database file. As far as I know, there is no such encryption in case of openchangeclient. So one should use some external encryption, which is too complicated again.

Revision history for this message

Brad Hards (bradh) wrote on 2010-05-03:

I'm not sure I understand the problem (or the security threat you're trying to protect against).

Is the problem that filesystem permissions (on a file in your home directory) are not sufficient? The only person that could override those permissions is someone with superuser privleges. If they want the password, there are many ways they can get the password (e.g. modify openchangeclient binary to send it to them).

You are right that there is no encryption on the openchange profile database. You could protect it using disk encryption.