The current implementation of the CIFS/SMB support for External storage reveals user and password during execution of the smbclient command. Every user logged in can read user and password with a simple 'ps' command. Additionally user and password are logged in cleartext to syslog or logfile.
Solution: The smbclient call should be modified to use the authfile option 'smbclient -A ' which implies the authfile has to be created when a share is created/updated (stored in the users data directory?).
I wouldn't rate this as a security issue but this is definitely a valid point that we have to address. @MTGap could you please take care of this?
@icewind1991 is working on an alternative implementation of SMB which will arrive with OC6.
I see no real need to fix this in OC5
For me it´s not a big issue if this get´s fixed with OC5 or OC6 (I am just home user). But I don´t understand how you guys define a security issue. In several bug trackers, issues like this one block whole releases.
In my private setup owncloud and samba use ldap. My windows PC and that from my girlfriend are members of the samba domain. So guess what you can do with the password watching ps accidentally.
This setup is surely not uncommon for small offices/companies.
Quick explanation why I closed this and decided not to fix this in OC5:
The smb lib we use currently is unmaintained for a long time - we will throw it away pretty soon.
I don't see the need to invest time (private free time BTW ;-) ) in fixing stuff we throw away.
The new lib for sure not be backported to OC5.
I'm pretty sure @icewind1991 is the same opinion and we are the only dev touching this code anyway.