proposal: use pipe instead of cmdline arg to pass $otp_secret to oathtool #167
Comments
|
Command line args are also visible via top, a program running under a different user could call the syscalls top uses to monitor other processes and watch for your key as a command line arg. |
pabs3
added a commit
to pabs3/pass-otp
that referenced
this issue
May 12, 2023
Check if the oathtool version supports this first and prefer the safe oathtool version to the always unsafe otptool. Fixes: tadfisher#167
|
I sent a fix for this issue in pull request #182. |
pabs3
added a commit
to pabs3/pass-otp
that referenced
this issue
Jan 6, 2024
Check if the oathtool version supports this first. Fixes: tadfisher#167
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In current implementation (otp.bash#L360) of pass-otp, when generating pincodes, the implementation use a command line argument to pass the
$otp_secretto external binaryoathtool.The problem with this approach is, in strictly managed environment, things like audit log is usually enabled (e.g. enabled for
exec*syscall, which is quite common in enterprise server/thin-client environment), arguments to invoke external binary may written to syslogd, which is possibly stored in unencrypted form in terms of on-disk sectors and sudoers (privileged sysadmins). The manual ofoathtool(1)also point out this:This also applies to some consumer-level single user runtime, like Termux on Android (things like
logcatmay get uploaded to OS vendor. Note that Termux also havepass-otppackaged in their repository). It should have fairly no drawback if switched to pipe appoarch instead.The text was updated successfully, but these errors were encountered: