[pass] GPG Compression and Authenticity

Alfredo Pironti alfredo.pironti at inria.fr
Thu Mar 20 09:53:43 CET 2014


On Thu, Mar 20, 2014 at 8:12 AM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:

> On Wed, Mar 19, 2014 at 8:06 AM, Alfredo Pironti
> <alfredo.pironti at inria.fr> wrote:
> > Using git-level signature ensures integrity of the data on the remote
> > repository, but not of the local data. Hence, you get protection from
> > attackers controlling a git repository, but not from attackers being
> able to
> > write into your home directory. If you want to protect also from local
> > attackers, then pass-level signature seems to be required.
>
> Actually, pass already protects from an attacker modifying to my
> password store directory: line 7 of password-store.sh is "umask 077".
> If an attacker can bypass this, he likely already has root access and
> could just as easily snatch my passphrases from memory or other
> things. Or, if an attacker has an arbitrary file-swap primitive, he
> likely could use that for privilege escalation anyway, and then read
> passphrases from memory. Alternatively, if an attacker has access to
> my filesystem, he could even modify my web browser or gpg binary. Or a
> variety of other attacks. Thus, I'm not sure that your attack model
> really makes sense. Please correct me if I'm wrong.
>

I think you're correct. The other case I see (just for completeness), is
when the attacker gets access to your account, but not root. In that case
umask does not protect you, but maybe the attacker cannot alter the gpg
binary or dump the memory of an arbitrary process.

That said, it seems to me a reasonable trade-off to begin by protecting
from an attacker that can alter the content on the remote git repository.

Cheers,
Alfredo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20140320/3c5c1789/attachment.html>


More information about the Password-Store mailing list