Bug report #19201

Authentification in QGIS doesn't ask master password - security breach

Added by Yaroslav Vasyunin over 2 years ago. Updated about 2 years ago.

Status:Rejected
Priority:Normal
Assignee:Alessandro Pasotti
Category:Authentication system
Affected QGIS version:3.1(master) Regression?:No
Operating System:Windows 10 x64 Easy fix?:No
Pull Request or Patch supplied:No Resolution:invalid
Crashes QGIS or corrupts data:No Copied to github as #:27030

Description

I have a QGIS project, which consists of many layers from a PostgreSQL database. Logins and passwords for the access are stored in the QGIS authentification database (qgis-auth.db). Once I run the project in QGIS 2.18 it firstly asks for my master password, and then loads all the layers from the database if I enter the correct master password.

However, when using the same approach in QGIS 3.1 (and 3.0.3), if I run the project, QGIS starts and doesn not ask for the master password. Instead of this it loads all layers from the database avoiding authentification!

History

#1 Updated by Alessandro Pasotti over 2 years ago

  • Status changed from Open to Feedback

There is a new feature in QGIS 3 that allows (do not force to, just allows) the user to store the master password in the operating system password manager/wallet (whatever is called on your platform).

#2 Updated by Alessandro Pasotti about 2 years ago

  • Resolution set to invalid
  • Regression? changed from Yes to No
  • Assignee changed from Larry Shaffer to Alessandro Pasotti
  • Status changed from Feedback to Rejected

Also available in: Atom PDF