Storing generated DAV credentials in plain text

[sergeyklay]

Hello,

This is not a real issue (at least for now). I am just trying to understand the design and the reasons why ~/Library/Application Support/etesync-dav/htpaswd file on macOs is readable by anyone, besides, obviously, it contains my credentials in plain text.

In general I would prefer to avoid such technics and I am wondering if this is indicated in the documentation:

• This file is readable by any user on the system,
• This file contains the credentials in plain text

[tasn]

Hey,

I updated the title to better reflect what's going on. As for your question: it's only the credentials used to access the DAV bridge (which are still important), and they are saved in the clear so that you can retrieve them later. We could potentially use a stronger alternative (just using sha1/md5/whatever would be security circus) and make it so you can't retrieve the password later, but instead have to reset every time you want to view it. It's a tradeoff.

As for the permissions: it's not really readable by any user on the system. It's in your home folder (~) to which only you should have access. We could tighten the etesync-dav's permissions (no harm in doing that) so I'll keep this ticket open until we do, though it shouldn't really be an issue.

Thanks a lot for reporting, and let me know if you have any other questions!

-- Tom

[sergeyklay]

As I said above, this isn't an issue at the moment. I'm just trying to understand the motivations and limitations, as well as the potential risks. Don't treat this as a bug report, rather a design discussion.

[tasn]

If anyone is able to access that file, they are likely to also be able to access the cached data. So I don't think it poses any real risks. With that being said, I'd like to further limit the directory access levels, because there are no drawbacks to doing that.

[knickwall]

Not sure whether this is the best place to ask this, but: I would like to log into my EteDAV server again and have forgotten the password. Now I tried to use the plaintext credentials Sergey mentioned above, but for some reason they do not work. I have tried using my e-mail and my EteSync 2.0 account name with both passwords each, but no luck. I am sure I am missing something simple here, but would be grateful for any help or hint in the right direction.

Cheers!

[tasn]

"Do not work" -> what's the error? Maybe try removing the directory and just adding your account again?

[knickwall]

Thanks for the quick response!

I followed your advice and that fixed the issue. To be honest, I may have mixed up the account password and the DAV password, but I have not tried to reproduce the error. Everything's working again like it's supposed to - thanks again!

[sergeyklay]

IMO, it's a common mistake to mix up the account password and the DAV password. It seems to me that this is either because of the poorly chosen terminology, or because of not obvious documentation, or for both reasons.

[tasn]

Yeah, it's hard getting these things right. I'm open to suggestions on how to improve things!

[sergeyklay]

@tasn What do you think about integrating keyring package. Potentially, etesync-dav could store all its secrets in the system keychain. Modern OSes require a different password to access in keychain and often accessing the keychain requires re-entering the password, even after login. The keyring package supports Windows/macOs/Linux and at least it could be an optional feature.

[tasn]

If it can auto-detect whether a keyring is available or not and fallback to cleartext if it isn't I'm fine with that. :)