[PATCH] Kwallet optional owner based access control

[David Faure]

On Wednesday 09 April 2008, Jonathan Verner wrote:
> Hello, 
> 
> I store some quite sensitive data in my wallet (banking account 
> passwords, creditcard numbers & c.) and I do not feel comfortable
> with allowing every application which has access to the wallet to 
> read them. (E.g. kopete stores its passwords in there so it has to 
> have access to the wallet, but if it is compromised by a hacker, it 
> could get at the more sensitive banking passwords which would not 
> be good). So I thought it might be useful to only allow access to 
> the wallet folders to applications which actually created those 
> folders. The attached patch tries to implement this (although I am
> not completely sure how the appid thing works and if it is 
> spoof-safe). It defaults to the old behaviour and only limits the
> access if it is turned on in the configuration.

The appID thing is not spoof-safe -- anyone can craft DCOP or DBUS messages
with a fake sender ID in them.

I thought the solution to your problem was to create multiple wallets?
(I'm not sure how applications know which wallet to ask for, though)

-- 
David Faure, faure at kde.org, sponsored by Trolltech to work on KDE,
Konqueror (http://www.konqueror.org), and KOffice (http://www.koffice.org).