On Wed, 18 Aug 1999, Thomas Biege wrote: > The current version (4.5.37) of mc, that is used by SuSE creates > the history file mode 600 independently of the umask. > > Nevertheless, I think it's a very bad behavior to record account > informations, because it could be used by a cracker to gain access > to more sites. > The authors of mc should disable recording these kind of stuff. The authors of The Midnight Commander do have disabled recording of passwords to ~/.mc/history. Currently MC users can input passwords by three different means: 1. Password input dialogs: users are queried when a password is needed in order to proceed. These passwords are hidden during input. 2. For conveniance sake users are allowed to embed passwords into urls, e.g. to ftp to some host they can enter `cd ftp://user:password@somehost' into the commandline. These passwords are displayed in plain text during input because the command line's first purpose is not to input passwords. You better know what you are doing when you use this feature. 3. PASSWD environment variable. Passwords entered by means of no. 1 haven't been stored to any file since release 4.1.15, the first release with the new input line history. Since Februar (release 4.5.11) passwords entered by means of no. 2 have been removed as soon as the complete input line is pushed onto the history stack provided that MC is able to recognize the password. Enter an URL with an embedded password into the command line, move backward and forward (M-p, M-n) in the history once and you will see that the password has gone. Since the same time access rights of ~/.mc/history have been restricted to the owner in case passwords are entered where we don't expect one and where it isn't even remotly possible to detect it as a password, e.g. passwords entered into the search dialog of the internal viewer. No. 3 is only used by the new samba virtual file system which is still under development and not build by default. Use of PASSWD is a known deficiency and it isn't even documented. PASSWD will be supplemented by password input dialogs during further development. No need to mention that passwords fetched from PASSWD aren't recorded to any file either. Regards, Norbert
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:59:25 PDT