After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 85559 - Store proxy password with libsecret
Store proxy password with libsecret
Status: RESOLVED OBSOLETE
Product: gnome-control-center
Classification: Core
Component: Network
git master
Other All
: High normal
: ---
Assigned To: Control-Center Maintainers
Control-Center Maintainers
: 118168 321602 379687 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2002-06-17 05:11 UTC by Rashmi Agrawal
Modified: 2021-06-09 16:08 UTC
See Also:
GNOME target: ---
GNOME version: Unversioned Enhancement


Description Rashmi Agrawal 2002-06-17 05:11:34 UTC 
HTTP proxy password settings can get exposed if set through network
preference capplet. Through this capplet, HTTP proxy user name and password
can be specified. This username and password is then stored in
	"/<user home directory>/.gconf/system/http-proxy/%gconf.xml"
in CLEAR TEXT with read/write/exec permission to user only.

This settings are then used by the applications like nautilus, gweather
stockticker etc.

This is an issue in terms of privacy because of the following
1. The root can see the password for user's http proxy settings.
2. If the home directory is exported to other systems and then mounted nfs.
In this case others can also see the password.

Possible solutions:

1. preliminary thoughts are encrypting the password before storing and
decrypting it at the point of retrieval.

The fix is likely to affect the network preferences capplet and components
which retrieve the information.
Comment 1 Chema Celorio 2002-06-20 08:15:45 UTC 
Your preliminary thoughts do not solve anything.

If you need to pass that password to the proxy then you need a piece
of code that takes that password and decrypts it, Rigth?

Then ... if there is such piece of code that can take an crypted
password and generate a clean password, How are you going to avoid
root running that piece of code and decrypting it?
Comment 2 Rashmi Agrawal 2002-06-20 10:14:33 UTC 
I understand that root can still have access to password. 

While storing the password by user through capplet, user might not be
aware that the password is getting stored in clear text and can be
seen by root. At least user could be warned that the password
information being stored can be seen by others. This is not being done
at present. 

In case, user is not willing to disclose his/her http proxy password
to anybody and is not willing to store it through network capplet
because of privacy issues, other applications(like nautilus etc)
should prompt for password.

In this case at least user would know that private information can be
seen by others and have an option to not to store in his/her home
directory.
Comment 3 Chema Celorio 2002-06-20 16:08:30 UTC 
I am not saying that this could not happen, all I am saying is that
encrypting and decrypting the password changes nothing.
Comment 4 Michael Meeks 2002-06-20 17:12:35 UTC 
Worse than that, root can see/steal ~/.ssh/identity and thus steal
your identity - is it even me that is typing this ? ;-)
Comment 5 Rashmi Agrawal 2002-07-25 09:33:23 UTC 
The issue was discussed in the community through desktop-devel-list.
The link to the thread is

http://mail.gnome.org/archives/desktop-devel-list/2002-July/msg00515.html

There is a consensus to at least encrypt the password and store it
into the disk. A patch to this will be provided soon. 

Along with it, password prompting feature is currently being
considered.
Comment 6 Hema Seetharamaiah 2002-11-04 10:42:04 UTC 
No intermediate solution of encrypt and save to disk patch will be
provided to the community.
Comment 7 Christian Neumair 2004-07-20 18:05:42 UTC 
Verified on HEAD as well. Can't we use the shiny new keyring manager for this
kind of pwd magic?

regs,
 Chris
Comment 8 Teppo Turtiainen 2005-07-15 16:33:59 UTC 
*** Bug 118168 has been marked as a duplicate of this bug. ***
Comment 9 Sebastien Bacher 2005-11-27 14:38:00 UTC 
*** Bug 321602 has been marked as a duplicate of this bug. ***
Comment 10 Sebastien Bacher 2006-12-17 22:52:03 UTC 
*** Bug 379687 has been marked as a duplicate of this bug. ***
Comment 11 Josh Triplett 2011-04-05 03:50:44 UTC 
Since trivial obfuscation (which doesn't increase security at all) definitely won't happen, repurposing this bug as a feature request for storing the proxy password in gnome-keyring instead.
Comment 12 Nirbheek Chauhan 2011-09-29 06:28:35 UTC 
Aren't HTTP proxy passwords sent out in clear text over the network anyway?
Comment 13 Bastien Nocera 2013-04-23 13:20:57 UTC 
Dan, Stef, is this something we can implement? What about applications relying on libproxy directly?
Comment 14 Dan Winship 2013-04-23 13:30:33 UTC 
We could definitely have glib-networking pull the password out of the secret store rather than gsettings.

Apps using libproxy would lose until libproxy got updated to use libsecret and distros got updated to use the new libproxy...

(Hm... we should tweak the libproxy gnome plugin to try to just use GProxyResolverGnome...)
Comment 15 André Klapper 2021-06-09 16:08:52 UTC 
GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org.
As part of that, we are mass-closing older open tickets in bugzilla.gnome.org
which have not seen updates for a longer time (resources are unfortunately
quite limited so not every ticket can get handled).

If you can still reproduce the situation described in this ticket in a recent
and supported software version, then please follow
  https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines
and create a new bug report at
  https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/

Thank you for your understanding and your help.