Feature discussion: Access restriction for gnucash files by password
Derek Atkins
warlord at MIT.EDU
Wed Jun 26 14:20:33 EDT 2013
Geert Janssens <janssens-geert at telenet.be> writes:
[snip]
>> > What do you think?
>>
>> I think users shouldn't share userids. ;-)
>>
>> I suppose that this isn't too harmful so long as it's clear that it
>> conveys a false sense of security and that simply having separate
>> userids is a better solution.
> I'm ok with this as well.
I would want it to be very VERY clear that there is absolutely ZERO
security here. An attacker would only need to edit the XML and remove
the KVP to bypass this, which is extremely simple for anyone with a text
editor.
>> Note that the MySql and Postgresql backends do provide for
>> authentication, but we defeat it by storing the userid and password.
>> In those cases we should pop up the authentication dialog rather
>> than storing the credentials rather than using a KVP parameter on the
>> book.
>
> Agreed. For MySql and Postgresql this issue can be fixed by only
> optionally storing the
> password. Adding a "Save password" checkbox in the proper open and
> save dialogs could
> be sufficient.
Agreed. I think for DBs we can and should leverage the DB security. I
also agree with the "Save Password" checkbox, and possibly a way to
forget it, too.
I still honestly think that for SQLite and XML we shouldn't do anything.
>> Regards,
>> John Ralls
>>
>>
> Geert
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord at MIT.EDU PGP key available
More information about the gnucash-devel
mailing list