Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More secure secret storage #118

Open
8d4eg6 opened this issue Feb 20, 2020 · 1 comment
Open

More secure secret storage #118

8d4eg6 opened this issue Feb 20, 2020 · 1 comment

Comments

@8d4eg6
Copy link

8d4eg6 commented Feb 20, 2020

Directory ~/.config/etesync-dav is mode 755 and the contents are 644, among which I counted at least one plaintext secret. Consider narrowing permissions and/or moving the sensitive data to the OS keychain.
tasn added a commit that referenced this issue Feb 20, 2020
@tasn
Make permissions to config dir more restrictive.
d1a26d4 
It was 755 before, it's now 700. It doesn't necessarily make a parctical
difference because in almost all cases the encompassing directory (the
user's homedir) will have strict enough permissions, but it doesn't
hurt either).

Partially addresses #118
@tasn
Copy link
Member

tasn commented Feb 20, 2020

Thanks for the report. I narrowed down the permissions, as suggested, though haven't made the changes to use the OS's keychain yet. It shouldn't be too hard though, using something like https://pypi.org/project/keyring/

On a related note, we are working on making some changes to how EteSync works which should also affect etesync-dav, so the rest of this ticket will probably not be addressed until that is done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tasn @8d4eg6