[Fwd: Re: axyftp [LSARC/2008/271 Self Review]]
Charles Baker
Charles.Baker at sun.com
Tue Apr 22 15:11:17 PDT 2008
Hi Mark,
Please see in-line.
thanks
Charles
> ------------------------------------------------------------------------
>
> Subject:
> Re: axyftp [LSARC/2008/271 Self Review]
> From:
> Gary Winiger <gww at eng.sun.com>
> Date:
> Tue, 22 Apr 2008 11:13:08 -0700 (PDT)
> To:
> Mark.Carlson at Sun.COM, lsarc-ext at sun.com
>
> To:
> Mark.Carlson at Sun.COM, lsarc-ext at sun.com
>
>
> Using the check list as the project definition seems to be lacking.
> Is there no documentation that describes what's being proposed?
>
> Manual Pages
> /usr/share/man/man1/axyftp.1
>
> Minimally I'd expect to find this in the case directory.
>
> Help Documentation
> /usr/share/doc/axyftp/help.html
> /usr/share/doc/axyftp/intro.html
> /usr/share/doc/axyftp/axyftp.html
> /usr/share/doc/axyftp/main.html
> /usr/share/doc/axyftp/options.html
> /usr/share/doc/axyftp/panels.html
> /usr/share/doc/axyftp/problems.html
> /usr/share/doc/axyftp/session.html
> /usr/share/doc/axyftp/glossary.html
> /usr/share/doc/axyftp/doc.gif
> /usr/share/doc/axyftp/folder.gif
> /usr/share/doc/axyftp/link.gif
> /usr/share/doc/axyftp/up.gif
> Maximally I'd expect to find these in the case directory.
>
>
The additional materials have been placed in the case directory.
>>> 3.4.3 Auditing
>>> (see http://opensolaris.org/os/community/arc/policies/audit-policy/ for details)
>>> (see http://opensolaris.org/os/community/arc/caselog/2003/397 for details)
>>> Does this component contain administrative or security enforcing software?
>>> [ ] Yes - ARC review required
>>> [X] No - continue to next section
>>>
>>>
>
>
>>> 3.4.4 Authentication
>>> (see http://opensolaris.org/os/community/arc/policies/PAM/)
>>> Do the components contain any authentication code?
>>> [ ] Yes
>>> [X] No - continue to next section
>>>
>
>
>>> 3.4.5 Passwords
>>> (see http://opensolaris.org/os/community/arc/bestpractices/passwords-cli/ and
>>> http://opensolaris.org/os/community/arc/bestpractices/passwords-files/ for details)
>>> Do any of the components for the project deal with passwords?
>>> [X] Yes
>>> [ ] No - continue to next section
>>>
>>> If yes are these passwords entered via the CLI or environment?
>>> [ ] Yes - ARC review required
>>> [ ] No
>>> [X] GUI window, all entries shown as '*'.
>>>
>>> Are passwords stored within the file system for the component?
>>> [X] Yes
>>> [ ] No - continue to next section
>>>
>>> If yes are the permissions on the file such to protect exposing the password(s)?
>>> [X] Yes
>>> [ ] No - ARC review required
>>>
>>>
>
> Just to be clear, this is a FTP client, correct? So what is it
> doing storing passwords? Why shouldn't it be using a keychain?
>
The axyftp GUI allows the user to save the "jumbled" password. The
"jumbled" password
is saved in a ~/.axyftp directory. The file containing the jumbled
password has permissions
set to 600. This project includes only an inbound OSR at this time.
> Gary..
> _______________________________________________
> opensolaris-arc mailing list
> opensolaris-arc at opensolaris.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.opensolaris.org/pipermail/opensolaris-arc/attachments/20080422/58d20315/attachment.html>
More information about the opensolaris-arc
mailing list