Chromium saved passwords May 18, 2010
Posted by jdstrand in security, ubuntu.6 comments
I make use of the Master Password feature in Firefox. While not on by default, when enabled this feature encrypts your Firefox saved passwords on disk, and Firefox will prompt you when you need access to a saved password. When your browser is not running, your passwords are safe. There is a tool to try to brute force your master password if your machine is stolen, but as long as you use a strong password you should be ok (or at the very least, give you time to change them). For more information, see http://kb.mozillazine.org/Master_password.
This is a nice feature, and one which Chromium lacks. If you let Chromium save your passwords, they are stored in the ‘~/.config/chromium/Default/Web Data’ sqlite database. Displaying them is surprisingly easy (this is 5.0.342.9~r43360-0ubuntu2 on Ubuntu 10.04 LTS, newer versions may save them somewhere else):
$ echo 'SELECT username_value, password_value FROM logins;' | sqlite3 ~/.config/chromium/Default/Web\ Data | grep -v '^|$'
username|password
username2|password2
As you can see, in essence your passwords are stored in plain text on your disk (though the ~/.config/chromium directory does have 0700 permissions). I won’t go into the reasons why Google hasn’t implemented this feature yet since people can read the bug, but it seems clear that:
- Google is not going to fix this anytime soon
- People need a way to protect themselves
There are some alternatives with LastPass and RoboForm, but these apparently require you to store your passwords online (I’ve not verified this personally). As it stands, there is not a way to lock your saved passwords, so I encourage Chromium users to encrypt their data using eCryptfs or LUKS full disk encryption so that at least when you turn off your computer the passwords are not readily available. In Ubuntu, you can:
- setup LUKS full disk encryption using the alternate installer
- setup an encrypted home directory in all the Desktop and Server installers (or migrate an existing home directory by using ‘ecryptfs-migrate-home’)
- setup an encrypted private directory using ‘ecryptfs-setup-private’ (if you go this route, you’ll want to move ~/.config/chromium and ~/.cache/chromium into the encrypted directory and use symlinks to point to them)
In this scenario, normal DAC permissions will protect your passwords on multiuser systems (though you’ll need to be careful about the security of backups) and encrypted disks/folders will protect them in the case of theft. As always, please be vigilant about screen locking when you leave your computer while logged in though….
Browser profiles in Chromium May 17, 2010
Posted by jdstrand in ubuntu.6 comments
A coworker turned me onto browser profiles in Firefox (thanks Kees!). Browser profiles are a great way to keep your passwords, bookmarks, preferences and even extensions separate. I like to use one for work and one for personal stuff (and a few others). For more information on how to use them in Firefox, see http://support.mozilla.com/en-US/kb/profiles.
I started playing with Chromium lately, and found that it also supports profiles (see http://www.chromium.org/user-experience/user-data-directory), but not quite as conveniently as Firefox. With Firefox, you can launch it like so:
$ firefox -ProfileManager -no-remote
and get a nice little dialog. Well, I wanted the same in Chromium, so I hacked up this little script which achieves the same:
#!/bin/sh
set -e
topdir="$HOME/.config/chromium"
profiles="True Default"
for d in `find -H $topdir -maxdepth 1 -mindepth 1 -type d` ; do
if [ "$d" != "$topdir/Default" ] && [ "$d" != "$topdir/Dictionaries" ]; then
profiles="$profiles False `basename $d`"
fi
done
if ans=`zenity --title "Chromium profile chooser" --text "Choose a profile from the list below:" --list --radiolist --column "Profile" --column "Item" $profiles` ; then
if [ "$ans" = "Default" ]; then
chromium-browser $@
else
chromium-browser --user-data-dir="$topdir/$ans" $@
fi
else
echo "Aborted"
fi
I saved this as $HOME/bin/chromium-launcher.sh then created a launcher in Gnome using:
/home/<my username>/bin/chromium-launcher.sh %u
This should pick up new profiles as you add them and also works the first time you launch Chromium. Enjoy!
ClamAV update May 7, 2010
Posted by jdstrand in security, ubuntu, ubuntu-server.1 comment so far
Upstream ClamAV pushed out an update via freshclam that crashed versions of 0.95 and earlier on 32 bit systems (Ubuntu 9.10 and earlier are affected). Upstream issued an update via freshclam within 15 minutes, but affected users’ clamd daemon will not restart automatically. People running ClamAV should check that it is still running. For details see:
http://lurker.clamav.net/message/20100507.110656.573e90d7.en.html
