Reverted because Kodi 1) shouldn’t do this in modern versions, 2) if it does, this should be fixed, 3) I doubt OP would have read this before uploading a log. There is also a warning on that confidential data should be redacted, but I doubt that was read.

Paths reveal protocols and potential issues in libs (libnfs, libsmb) or streaming issues. It’s an important part of diagnosing a problem.

As mentioned before, there was a regression where passwords could leak. It should be fixed in a fairly recent version, but we’d need a log (dare I ask for one) to see what version you are on. If the passwords are in the log, then you should report this to Kodi, not us.

However if you are using a password that you use for other services, then you’re not doing security correctly. I really don’t understand users that get high and mighty when they haven’t followed basic security principles. I’ll also assume you didn’t put your passwords in passwords.xml but instead added them to sources.xml.

You want instructions in the Wiki to copy and paste a text file?

Which is not relevant to your post. That post concerns the storage of passwords in XML files, not in logs.


No, but the name and place of the file. Also not me, because i know know where to look, but anyone else who wants to go the manual way…

Not relevant? I was told to file a bug and that is the exact description. My initial concern goes a step further, as the file was read by a program and uploaded together with the logs to some server. But that isnt a Kodi bug.
That the logs too contain the credentials is another concern of course.

Who said i am using it for other services?
May I quote from the kodi bug because i couldnt write it down better:

XBMC really isn’t an application that needs to be locked down, nor is it likely to contain sensitive information, but passwords themselves are sensitive information. NAS drives often hold more than just movie files. A password for a google service via an add-on could give access to know knows what.

It is my cloud storage password. If it is breached, all my private files are compromised, no matter via webdav or web gui or any other API. Thats why I am keeping it now out of KODI.

Multiple files are collected in a grab logs -A, but all are documented on the OSMC or the Kodi Wiki collectively.

Your original report is

The Trac ticket is about world readable files. That is a filesystem issue.

Why not just use passwords.xml as expected, employ proper security for the device (don’t port forward), and use iptables if the LAN is untrusted?

It’s just not worth the effort to me. Also I need to access the server from the internet as well, rarely but more than from Kodi.

Actually its about both. First the password gets stored in plain text file and then the file is not secured.
I was told to report the first part as a bug, but its still a duplicate isnt it?

Not in my eyes.

This – I really don’t get. It’s 30-40 seconds to set up passwords.xml, and surely far longer to remove the source from Kodi and set up an external (presumably fstab based) mount.

No you dont understand. I am not going to waste more time on this, if I do not really need it as I said. I’m done with it. If I want to browse my cloud I use something else.
And then who knows what program/addon in ther future maybe reads that file out and uploads it anywhere else with me not knowing it. I learnt that Kodi is just no place for my important login credentials.

I appreciate your advice though. (and of course all the work you put into OSMC in general!)

1 Like

That is a separate argument. While I do agree that Kodi needs a central ‘vault’ like key store, you are starting to move the goal posts a bit.

1 Like