[27339] in Athena Bugs
Re: Debathena Beta: thunderbird
daemon@ATHENA.MIT.EDU (Evan Broder)
Wed Jul 22 13:33:23 2009
Message-ID: <4A674D55.3040207@mit.edu>
Date: Wed, 22 Jul 2009 10:33:09 -0700
From: Evan Broder <broder@mit.edu>
MIME-Version: 1.0
To: mkhusid@mit.edu
In-Reply-To: <200907161633.n6GGXqw9021275@outgoing.mit.edu>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Spam-Flag: NO
X-Spam-Score: 0.00
Cc: bugs@mit.edu
Errors-To: bugs-bounces@mit.edu
Hi -
Sorry we dropped this on the floor for a bit; we were waiting to
respond until we had a chance to discuss it at the Release Team meeting
yesterday.
First of all, storing your password in AFS is not inherently insecure.
The wrapper script for Thunderbird (/usr/bin/thunderbird.debathena) sets
the AFS permissions on your Thunderbird profile to be private, and the
debathena-afs-config package enables AFS wire encryption (in
/etc/openafs/afs.conf.client).
It's also not really worse than our current setup for Firefox - we don't
disallow storing passwords there, and they also go into a private
directory in your homedir. In both cases, the passwords are obfuscated
but not encrypted.
Also, one of the goals of Debathena is to create a distribution where
the differences from the standard Ubuntu configurations are minimal, so
when we were creating the debathena-thunderbird-config package, we tried
to limit the options we set to only those needed to get the right
configuration in place. As a result, we dropped several options used by
the thunderbird locker from our config.
With all that said, we did decide yesterday to re-enable this option,
but as a defaultPref instead of a lockPref. I went looking in the
thunderbird locker's config, though, and I can't find the setting that
disables storing passwords. My best guess was signon.rememberSignons,
but that line is commented out. Do you know which preference we need to
be setting?
- Evan
mkhusid@MIT.EDU wrote:
> System name: m12-182-2
> Type: i686
> Display type: ATI Technologies Inc RV516 [Radeon X1300/X1550 Series]
>
> Shell: /bin/athena/tcsh (?)
> Window manager: unknown
>
> What were you trying to do?
> Running thunderbird. Thunderbird asked me to enter a password and provided a remember password option.
>
> What's wrong:
> Option to remember password was intentionally disabled on previous versions of Athena due to security of storing the kerberos password on AFS.
>
> What should have happened:
> There should have been no option to store password in Thunderbird.
>
> Please describe any relevant documentation references:
> Please see details on the implementation in the thunderbird locker.
>
