~sircmpwn/aerc2#426: 
Change accounts.conf security error to a warning

I am trying to add aerc to home-manager. When home-manager generates the aerc config, it places a read-only symlink pointing to a world-readable accounts.conf file in the nix store. However, with this method, I cannot run aerc as it returns with an error and the following message:

The file /home/xxx/.config/aerc/accounts.conf has too open permissions.
This is a security issue (it contains passwords).
To fix it, run `chmod 600 /home/xxx/.config/aerc/accounts.conf`
Failed to load config: account.conf permissions too lax

I cannot simply chmod it to the required permissions since the filesystem containing the accounts.conf file is read-only. I can also guarantee that there are no secrets in the generated accounts.conf file, since home-manager only adds a source-cred-cmd or outgoing-cred-cmd to the file.

What is the best way forward? In cases like this where the user can guarantee that there are no secrets in accounts.conf, the security error shouldn't block the user from running aerc. Instead, if it was a warning (and especially one that can be disabled somehow), that would be useful for users on other platforms.

Status
RESOLVED WONT_FIX
Submitter
~svmhdvn
Assigned to
No-one
Submitted
29 days ago
Updated
27 days ago
Labels
feature

~labrat 29 days ago

https://lists.sr.ht/~sircmpwn/aerc/%3CC1HLQYU8QSUI.3GYFQ9WJOH7H6%40ginger%3E#%3CC1HLVR0TS5U7.3D4ITWHA0I1CW@homura%3E

Tl;Dr: Send a patch that changes it to a warning unless there's a password in the file. Keep in mind that to parse that not only must we look for the password in the individual connections strings for all workers as those may include passwords after the colon, but also ensure that the error triggers if any of oauth bearer stuff is used as those token grant you full access to the mail account

~svmhdvn 29 days ago

Thanks for the lists archive link, I will get to work on this patch.

~labrat REPORTED WONT_FIX 27 days ago

Register here or Log in to comment, or comment via email.