[pass] Extending pass with user-defined hooks / add ons

Sat Aug 1 17:38:05 CEST 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

At first I thought signatures was a good idea, but after thinking about it
I'm not sure they would actually improve security in any way. I mean, they
would protect you from malicious pass subcommands - but if an attacker can
write in your home directory, or even just a single directory in $PATH,
you're owned anyway. With full write access, they can add a malicious
"pass" wrapper script and prepend it to $PATH in .{ba,z}shrc. With write
access in $PATH they can just add the malicious code without modifying
$PATH. Then they wait for you to unlock your key with `pass show` and then
go nuts with the key unlocked in the agent. At this point they can add and
sign new subcommands as well, and those will be impossible to tell apart
from authentic subcommands.

With this in mind, I'm not convinced that any security is gained by
requiring subcommands to be signed. Instead, users would think they're
safer than they are, and be less careful with their $PATHs. As the saying
goes, bad security is worse than no security.

I say leave it up to the user to keep their $PATH clean, because I don't
see a reliable way to do it automatically. If git pulls are a concern, you
can instead ensure that any commits you fetch are signed before you merge
them.

/Emil
-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvKBxFbWlsIEx1bmRiZXJnIDxsdW5kYmVyZy5lbWlsQGdtYWlsLmNv
bT4FAlW852EACgkQHSBkP9nuM68FzQ//RYkl34x+N1vaaSKRcBLvYPkzR3HmDu+2
e77whC1RsbGr522zcQ2KEOmjRmaE3Yk3/H9TFra/iFUDRiLBxXlXf5LKvL6QLnZ7
Qe+44YTg0RtPM4cVaK/Aoo1GYmyPh7rgEoQWSThTURxQDIkGX58yBIa8dCbSTCKA
BwO7CR6MWWQpKFlk5uuyjXPzD0nBWfxVleiHzd/J12wYrNTmL/RCgzaYEaIli7JF
vlsHDk2moTjw719pPpZZGmLv4Ek+98ueY1UI9x/37lLBMqxays1yuQD8KLjhJUFo
c0DRgjTGsjobSJAo5VeUJifmJS13vEb3CCkbmbCb7/zkd6oJx1kPz80lBZqddn+2
ZlAmHOhcNw6gCcSGcxiCeYH5y0WHO+zDcAExZ8b9cA+FEMchEZaJTfRn3uh8wQ/e
UjCCkzNG9+S2kUVDCTSFyqBUNP8WxVxpKSDt8ppIwGP13yNC8kRf3Fv5wHOzqR5d
VFo/cxeZCI84EOPo+GFxQTHZR5oU5xuBF03BdNVOKXmyp2ssFsxIptS6s9QfiDpL
5WljRJbz1I/RqdTLSxXRPOxJwxQaXp4ew7F5ZnMHitRS35hL8MWaCnkGxOgXf5co
HybdclncaLwdGqFmePQaT7DgZjIu1QB5jAq2S5gcFiNAnmGmn8aM7K34lWm9iFno
MnwxtgwUs/U=
=uqOQ
-----END PGP SIGNATURE-----

On Sat, 1 Aug 2015 16:58 Lenz Weber <mail at lenzw.de> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> It may be a good idea to require those hooks to be GPG-signed by the pass
> user to avoid malicious additions to the git repo.
>
>
> Am 01.08.2015 um 12:42 schrieb Steffen Vogel:
> > Hi,
> >
> >> What about a system similar to Git[1] where subcommands are just
> >> exectuables in your $PATH?
> >
> > Having a „pass-age“ sub-command somewhere in
> $PATH:~/.password-store/.hooks/ ?
> > Thats a nice idea :-) I like it.
> >
> >> This has some benefits over keeping commands in your password store:
> >>
> >> * pass doesn't have to care about special or "blessed" directories
> >> * Subcommands can be written in any language
> >> * It's easy for third party packages to add new commands
> >>
> >> Plus if you want to keep your passwords and custom commands together you
> >> can add ~/.password-store/.hooks (or whatever it may be) to your $PATH.
> >
> > Convinced :-) I’d like to keep the addons together with my passwords.
> > This way, I can sync my add ons using „pass git pull“.
> >
> > I would say, that we should agree to a hidden subdir in
> ~/.password-store which gets automatically added to $PATH by pass.
> >
> > Some proposals (which one do you like?)
> >
> >     ~/.password-store/.hooks/
> >     ~/.password-store/.addons/
> >     ~/.password-store/.plugins/
> >     ~/.password-store/.subcommands/
> >     ~/.password-store/.extensions/
> >
> > Kind Regards,
> >
> > Steffen
> >
> > PS: I will prepare a patch soon (tm).
> >
> > —
> >
> > Steffen Vogel
> > Robensstraße 69
> > 52070 Aachen
> >
> > Mail: post at steffenvogel.de
> > Mobil: +49 1575 7180927
> > Web: http://www.steffenvogel.de
> > Jabber: steffen.vogel at jabber.rwth-aachen.de
> >
> >
> >
> > _______________________________________________
> > Password-Store mailing list
> > Password-Store at lists.zx2c4.com
> > http://lists.zx2c4.com/mailman/listinfo/password-store
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJVvN55AAoJED87gGHnFM0sVkEH/2rowojY7ipv95xCW4phzYNK
> f9Ab5RSlAUP8yLdiBWck+rJ788W1/v4gKFSitKytuOSgN/PVZRS7IN/Kaza2RdGv
> sX/stzL5jirvVfxga28u71xjk+DnQx8y+ImUOYiB3eGz6W59AZh0l9IOAfnlbFTo
> Nt/ZN/7XXYLJJdsQTDPO79oZFkNnTsK9q9FED8YGEpN7KyeE7g1bVeFATMdEfhze
> t39Xb6RTFPMwPudID1rQTmAsrPJ315ihgja/66UM3oW9eEXbXXAEIFZPbXp6+b3d
> fJU0f0KL8tAWpqMajh+1ztzWJBfeR60P4/QqT3X4lLBFacP4g7ON7i91e3Rx184=
> =ddwE
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/password-store
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20150801/0a0cbd08/attachment.html>