[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Fix releasing procedure

From: Alexandre Duret-Lutz
Subject: Re: [PATCH] Fix releasing procedure
Date: Tue, 27 Jan 2004 14:05:41 +0100

On Tue, Jan 27, 2004 at 11:54:39AM +0000, Gary V.Vaughan wrote:
> On Tuesday, January 27, 2004, at 10:40  am, Alexandre Duret-Lutz wrote:
> >On Tue, Jan 27, 2004 at 10:17:52AM +0000, Scott James Remnant wrote:
> >>*gulps* it stores my GPG passphrase in a shell variable?!
> >
> >Yep.  Just like mailcrypt stores it in an emacs variable, or gpg in a
> >C variable.  What's the difference?
> I was about to ask how you get the passphrase into gpg without it
> showing up in the process table for an instant, but you seem to have
> tried to address that.  Notice that at the point that you pass the
> passphrase to gpgs stdin on a pipe you are calling echo with the
> PATH set by the user:
>   echo $passphrase | $GPG --passphrase-fd 0 -ba -o $file.sig $file
> Oops!

At that point I already know that echo is a built-in (the script has
exited otherwise).  I don't understand how PATH could matter.

> Better than PATH fiddling in the environment, it would be good to
> detect bash and use 'builtin echo' (and similar for ksh and zsh).  I
> think you should also call gpg with an absolute path to forestall a
> trojan gpg which could log the passphrase.

I don't know the absolute path to use, unless I browse PATH.  Maybe
you mean I should allow $GPG to be set by the user?  (This seems as
dangerous as honoring PATH.)

> I'd be happier using the script if you supported quintuple agent, so
> that if gpg is getting it's passphrase from gpg-agent already, then
> there is no need to save it in the script at all.

This would be nice.  I've heard about gpg-agent already, but never
used it.  Is there a Debian package for this?  I could not find it.

> I'm no security expert, and even I've found a couple of
> vulnerabilities.  I have to say that I wouldn't use the script on a
> networked machine as it stands.

Oh, as far as I'm concerned I wouldn't use gpg on a machine which I
don't fully control.  That may explain our different concerns :)
Whether my passphrase is stored in an agent process or in a shell
variable does not worry me; because to my (limited) knowledge the only
other user that can spy it is root, and root is me.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]