pass edit leaking secrets

ಚಿರಾಗ್ ನಟರಾಜ್ mailinglist at chiraag.me
Wed Jul 21 12:57:58 UTC 2021


12021/05/01 03:29.51 ನಲ್ಲಿ, Patrik Keller <patrik.keller at uibk.ac.at> ಬರೆದರು:
> Dear all,
> 
> it's probably no news for you, but running `pass edit secret` might leak
> information to persistent storage if `$EDITOR` is not configured
> properly. I got hit by this after switching from vim to neovim. The
> latter defaults to storing swap, undo, and backup files in the user's
> home directory [0].
> 
> My personal thoughts on this are:
> 1. Neovim should not have changed the default.
> 2. `pass edit` should warn about the potential leakage.
> 3. I want to set the password editor independent of `$EDITOR`.
> 
> I could imagine the following workflow for `pass edit`:
> 1. Prefer `$PASS_EDITOR` over `$EDITOR` over `vi`.
> 2. If `$PASS_EDITOR` is not set print a warning about the potential
> leakage and ask for confirmation.
> 3. Proceed as before.
> 
> Do you know a better solution? Maybe one that works w/o changing pass?
> 
> Best
> Patrik
> 
> 0: https://github.com/neovim/neovim/issues/4481

The pass extension tail-edit opens up everything except for the first line (which is assumed to contain the password) and then prepends the password before saving to the password store: https://github.com/palortoff/pass-extension-tail

HTH!

- Chiraag
-- 
ಚಿರಾಗ್ ನಟರಾಜ್
Pronouns: he/him/his
-------------- next part --------------
A non-text attachment was scrubbed...
Name: publickey - mailinglist at chiraag.me - b0c8d720.asc
Type: application/pgp-keys
Size: 713 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20210721/d106bcca/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20210721/d106bcca/attachment.sig>


More information about the Password-Store mailing list