.netrc

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Tony E. Bennett: "ange-ftp slows lucid man page package by 7x"
• Previous message: Andrea Parri: ".netrc: the proper protection."

I still maintain that mandatory permissions on configuration files is
completely bogus.

Let's face it.  Unix security is terrible.  NFS, for example, requires no
authentication whatsoever.  If you can deduce the proper filehandle for an
NFS file, you can talk to nfsd and read or write whatever you want.  On
most systems guessing filehandles is easy.

Regardless of this, if the permissions on .netrc are left world-readable
for any length of time, the damage has already been done; someone may have
copied your file and gotten your passwords.  So what good does it do to
insist on closing the barn door after the horses have escaped?  For the ftp
program to emit a warning about your file permissions is bad enough, but
refusing outright to use its contents is simply unacceptable.

Nonetheless, in spite of this reasoning about security and the viewpoint
that software design should not force choices on users about their own
privacy, at least one NetBSD hacker I talked to refused outright even to
consider removing this bug.

ange-ftp has a marginally acceptable compromise:

   ;; disable gratuitous, ineffective (but annoying), paranoid fascism
   (setq ange-ftp-disable-netrc-security-check t)

• Next message: Tony E. Bennett: "ange-ftp slows lucid man page package by 7x"
• Previous message: Andrea Parri: ".netrc: the proper protection."