[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Fix releasing procedure

From: Scott James Remnant
Subject: Re: [PATCH] Fix releasing procedure
Date: Wed, 28 Jan 2004 15:57:34 +0000

On Tue, 2004-01-27 at 10:40, Alexandre Duret-Lutz wrote:
> On Tue, Jan 27, 2004 at 10:17:52AM +0000, Scott James Remnant wrote:
> > *gulps* it stores my GPG passphrase in a shell variable?!
> Yep.  Just like mailcrypt stores it in an emacs variable, or gpg in a
> C variable.  What's the difference?
Here's why you shouldn't store the passphrase in a shell variable:

$ export passphrase="something irrelevant"
$ ./gnupload

'passphrase' is now an exported shell variable, /proc/*/environ of the
gnupload shell script itself will contain "something irrelevant", but
once you've read that variable in, the environ of every single process
(including GPG, etc.) that that shell script runs will contain whatever
your passphrase is.

Adding an export to someone you intend to attack's shell environment is
unfortunately rather easy.

Have you ever, ever felt like this?
Had strange things happen?  Are you going round the twist?

Attachment: signature.asc
Description: This is a digitally signed message part

reply via email to

[Prev in Thread] Current Thread [Next in Thread]