libtool-patches
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Fix releasing procedure


From: Gary V. Vaughan
Subject: Re: [PATCH] Fix releasing procedure
Date: Tue, 27 Jan 2004 18:29:46 +0000
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20030925 Thunderbird/0.3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alexandre Duret-Lutz wrote:
| On Tue, Jan 27, 2004 at 11:54:39AM +0000, Gary V.Vaughan wrote:
| > Notice that at the point that you pass the
| > passphrase to gpgs stdin on a pipe you are calling echo with the
| > PATH set by the user:
| >
| >  echo $passphrase | $GPG --passphrase-fd 0 -ba -o $file.sig $file
| >
| > Oops!
|
|
| At that point I already know that echo is a built-in (the script has
| exited otherwise).  I don't understand how PATH could matter.

Where does it exit?  Do you mean when it is reading the passphrase?

~   $ /bin/sh -c 'PATH=/empty notabuiltin "Argh"; echo "Still here"'
~   /bin/sh: notabuiltin: command not found
~   Still here

- - If someone compromises my machine and manages to put a trojan echo, or gpg
in /usr/local/bin, or my ~/bin, the PATH setting when gpg is execed is very
important.

- - If my /bin/sh doesn't have a builtin echo, the process table will contain
"echo whatever my passphrase is" for a short time.


| > Better than PATH fiddling in the environment, it would be good to
| > detect bash and use 'builtin echo' (and similar for ksh and zsh).  I
| > think you should also call gpg with an absolute path to forestall a
| > trojan gpg which could log the passphrase.
|
| I don't know the absolute path to use, unless I browse PATH.  Maybe
| you mean I should allow $GPG to be set by the user?  (This seems as
| dangerous as honoring PATH.)

It is!  I mean hardcode "GPG=/usr/bin/gpg", and have the sysadmin edit the
script or put a link in /usr/bin rather than searching the PATH (implicitly or
otherwise).

|>I'd be happier using the script if you supported quintuple agent, so
|>that if gpg is getting it's passphrase from gpg-agent already, then
|>there is no need to save it in the script at all.
|
| This would be nice.  I've heard about gpg-agent already, but never
| used it.  Is there a Debian package for this?  I could not find it.

I don't know, I use OSX :-b

Yes it is in debian, and it provides a wrapper that makes gpg query the agent
instead of the user.

~    http://packages.debian.org/stable/utils/quintuple-agent

| > I'm no security expert, and even I've found a couple of
| > vulnerabilities.  I have to say that I wouldn't use the script on a
| > networked machine as it stands.
|
|
| Oh, as far as I'm concerned I wouldn't use gpg on a machine which I
| don't fully control.  That may explain our different concerns :)

Well, I wouldn't store my private keys on a machine that I don't control,
but I would type my passphrase at an agent or gpg binary that I installed.

| Whether my passphrase is stored in an agent process or in a shell
| variable does not worry me; because to my (limited) knowledge the only
| other user that can spy it is root, and root is me.

Unless your machine is on the network and has consequently been compromised.
Even root should not be able to get your passphrase (although if he can steal
your private key, you are in a bit of a mess already).

Cheers,
        Gary.
- --
Gary V. Vaughan      ())_.  address@hidden,gnu.org}
Research Scientist   ( '/   http://www.oranda.demon.co.uk
GNU Hacker           / )=   http://www.gnu.org/software/libtool
Technical Author   `(_~)_   http://sources.redhat.com/autobook
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAFq4aFRMICSmD1gYRArfLAJ9Hb5mTbu2+/VmYpn3+D2VFSZVn0QCgtdG7
To8rX8342EcSoVkn2begzD8=
=7YWk
-----END PGP SIGNATURE-----





reply via email to

[Prev in Thread] Current Thread [Next in Thread]