[Inx] Mail passwords security fix for 'persistent' sessions'

Peter Garrett inx-one at optusnet.com.au
Sun Aug 16 01:36:36 PDT 2009

Hello all,

There is a fix for the "INX mail settings include plain text passwords
in .muttrc etc." issue that is Not A Good Plan for 'persistent' USB

This is important only for USB installs of INX (inxusb installs, or
other installs using the 'persistent' boot option.)

The fix will be included in updates of course, but this is an 'interim'
fix for those who have made USB devices. 

If you are using the USB version of INX installed via 'inxusb', then,
you will probably want to do the following:

* Boot with "persistent" from the device
* Run the following:
  sudo wget inx.maincontent.net/f-mailfunctions
  sudo mv f-mailfunctions /usr/local/lib/inx/f-mailfunctions

There are other ways - basically you want to replace the
'f-mailfunctions' file in /usr/local/lib/inx/ with the newer version as
above. If you want to see what this does, and have an understanding of
Bash, you can have a look at it:


The changes are mostly in the "oops ()" function near the bottom,
although I've made a few other improvements elsewhere.

* If you have set up mail on 'persistent' USB, then (after doing
the above) check for plain text passwords in the files ~/.muttrc ,
~/.muttrc.bak , ~/.msmtprc and ~/.msmtprc.bak Remove the password lines
with an editor (or whatever method you know and are comfortable with)


Normally the configuration questions for Mutt in "mailinx" (the mail
menu) put your password in plain text in ~/.muttrc and ~/.msmtprc, (and
~/.muttrc.bak , ~/.msmtprc.bak in the event that you configure two
accounts.) This is OK on a hard drive install or in a
"volatile" (non-persistent) live session, since the files are readable
only by your user (permissions 600, rw only for the user). In fact most
mail clients do this for convenience.

If, however, you happen to lose your USB key, anyone who booted it (or
mounted it as root) would have access to those email passwords, since
they are in plain text.

The fix involves recognising when the session is 'persistent', and
keeping the email passwords only for the current mutt session. This
means each mutt session will prompt for an email password when running
'persistent', but the passwords will be deleted from the device on exit
from mutt.

"INX Is Not X" Live CD based on Ubuntu 8.04 : http://inx.maincontent.net
Screenshots slideshow: http://inx.maincontent.net/album/1.png.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.inx.maincontent.net/pipermail/inx-inx.maincontent.net/attachments/20090816/0d0c07c0/attachment-0002.pgp>

More information about the Inx mailing list