Closed GoogleCodeExporter closed 9 years ago
I think we should document this in the FAQ, as well as putting a note on the
starting
page for Crunchy. Something like:
This version of Crunchy is intended to be used by a single user. If Crunchy is
running on a multi-user system, everyone can access it and have commands
executed
from the account from which Crunchy was launched.
Original comment by andre.ro...@gmail.com
on 9 Jun 2008 at 1:09
This would be a slight help, but all modern systems are multi-user. It doesn't
matter
whether the other users are "human" or not. All modern unixes run unpriveleged
process using various users, and it is assumed that they cannot execute code as
a
user with higher priviliges. This problem probably doesn't affect windows as
much -
as far as I know "consumer" windows doesn't use different users in this way.
If we tell people not to use Crunchy in a multi-user environment then we are
effectively blocking out all unix users. It doesn't matter of they are the only
user
logged in to the user interface, we are still opening up a massive security
hole.
Original comment by johannes...@gmail.com
on 9 Jun 2008 at 1:55
I can confirm that the same problem is present when running Windows. I had
Crunchy
running under one user, switched user and was able to connect, etc....
Original comment by andre.ro...@gmail.com
on 9 Jun 2008 at 8:08
Tao has implemented a solution that is likely to be completely satisfactory.
Keeping
the issue alive until other aspects are taken care of (e.g. password manager,
storing
password in a separate file - and not in Crunchy's code, etc.). Also changing
the
label to release 1.0.
Original comment by andre.ro...@gmail.com
on 12 Jun 2008 at 2:48
All remaining issues listed in comment 4 have been taken care of.
Original comment by andre.ro...@gmail.com
on 28 Sep 2008 at 4:59
Original issue reported on code.google.com by
johannes...@gmail.com
on 9 Jun 2008 at 12:57