This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
1st impressions #1
Comments
|
Rather than passing the password through DBus, you can pipe it in through |
The whole reason is just that I need
The approach given in the comment isn't actually possible, because KeePassXC sets PTRACE_SET_DUMPABLE to 0, which makes it impossible for non-root users to read KeePassXC's
Agreed.
Currently all it does is ensure that the secrets are wiped from memory when they're no longer needed, regardless of how many times they're copied around in memory. (Data is overwritten when rust's Drop is invoked.) Added it just because it was simple enough to do quickly, in the future I'll probably switch to some other crate, which implements more sophisticated memory protection functionality.
Definitely a problem, but when I saw that KeePassXC exposes this unlock over D-Bus functionality, I figured that at least some of the security faults with this are their problem. :P
Another reason why I'm using the systemd service, to hopefully avoid some of the ugliness of the gnome-keyring method. Instead of leaving a process started from outside the user session hanging around, the fork only exists for as long as is necessary to pass data to KeePassXC, leaving a (relatively) nicely managed process. (Addressing this:)
There are a few issues created by this, though, due to the fact that KeePassXC is a GUI program, and not a background daemon, however.
I'll look into it! |
|
TL;DR What we need is for KeePassXC to provide a better way to pass the unlock secrets to it, and it'd be great if it was possible to run KeePassXC's secret service as background process (though unless the GUI application is massively rewritten, it'd probably act independently and require a separate database) (Honestly, if this project doesn't pan out, I might look into making my own KeePassXC-database-compatible secret service implementation.) |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Hi, I went over the code briefly, there a few things that stood out to me:
I noticed that you use the
org.keepassxc.KeePassXC.MainWindowDBus service to start KeePassXC and unlock the database. Normally, at least with Secret Service setups, KeePassXC would be started through theorg.freedesktop.secretsDBus service (though that doesn't handle unlocking). See keepassxreboot/keepassxc#6274 .This is also not the method that was discussed in keepassxreboot/keepassxc#6055 (comment) , though your current approach is simpler. I understand that you may not want to depend on KeePassXC-side code to retrieve the password and unlock itself, but the implications need to be carefully thought through. (From the KeePassXC end, we're also waiting for Full QuickUnlock, which as I understand, should implement a similar credential retrieval mechanism in a way that's more acceptable to the KeePassXC team).
It would be good to document in the RAEDME how this PAM module is expected to work, and how it interacts with the Secret Service integration (a likely common use case for wanting auto-unlock on login):
What are the steps that you expect to occur from user login until the database unlocks, or until a program requests and receives a password though Secret Service, or any other use case you'd like to document. And also: why does this need to happen through a SystemD service? (e.g. for Secret Service, DBus is usually enough).
You currently have the
/usr/bin/keepassxcpath hard-coded, and try to verify the executable path against that. This is ok for a start, but keep in mind that KeePassXC may be installed to a different location in some use cases. Furthermore, it might be possible to spoof the executable path in some ways. There was some talk about that over at KeePassXC when its Secret Service client detection was being developed. The above-mentioned method is more flexible with the executable path, and more robustly identifies the executable (and if you follow the links from there, you can find some of those early discussions about client detection).I can't comment much on security aspects, but as a general rule, you should be very careful with placing security-related stuff in normal user space. For example, it's quite easy for a malicious process to intercept (if not impersonate) the
org.keepassxc.KeePassXC.MainWindowDBus service to obtain the KeePassXC password (see e.g.dbus-monitor). And since in this case you're trying to use the user login password as a KeePassXC password, this would often also be thesudopassword, which could lead to fairly nasty privilege escalation.(Although conventional wisdom is that if you have a malicious process running locally, you're screwed anyway, but we still try not to add more vulnerabilities.)
The Secret Service API uses encryption over DBus to protect against DBus eavesdropping, and there was also some unfinished work to bypass DBus entirely when transferring secrets from Secret Service. AFAIK,
org.keepassxc.KeePassXC.MainWindowdoesn't support that.You may also need to protect the PAM module's memory similar to what KeePassXC does. (I saw that you're using
SecretString, but don't know what kind of protection that offers.) You may want to look at other PAM modules and check what they do.Finally, there are some relevant notes in another keepassxreboot/keepassxc#6055 (comment) .
The text was updated successfully, but these errors were encountered: