[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde
Subject:    KMail/PGP security bug (?)
From:       "Jacek Konieczny" <jajcus () zeus ! polsl ! gliwice ! pl>
Date:       1998-07-11 15:40:57
[Download RAW message or body]

Hi,

A great (although not well documented) feature of kmail is use of PGP.
But there is a problem. KMail passes PGP secret key's passphrase as command
line argument. 
So any user logged on the same machine as person using PGP feature of kmail
can get his passphrase using such simple script:

while true; do ps aew | grep pgp | grep -v grep; done

He can even put it in background and store passphrases in some file.

Unfortunately I don't know any easy and secure solution to this
(environment variables doesn't seem much more secure).

Maybe pipe to PGP.

This bug should be fixed or some warning to user should be displayed. I
know it is too late for KDE 1.0, but maybe in first bug-fix release.

Greets,
    Jacek
--
+---------+--------------------------------------------------------+
!      ,  !            Jacek Konieczny, Gliwice, Poland            !      
! Jajcus  ! email: jajcus@zeus.polsl.gliwice.pl, jajcus@polbox.com !
!         ! ICQ# 7149127                           WWW: none (yet) !
+---------+--------------------------------------powered-by-Linux--+
--
Send posts to:  kde@lists.netcentral.net
 Send all commands to:  kde-request@lists.netcentral.net
  Put your command in the SUBJECT of the message:
   "subscribe", "unsubscribe", "set digest on", or "set digest off"
**********************************************************************
This list is from your pals at NetCentral <http://www.netcentral.net/>

[prev in list] [next in list] [prev in thread] [next in thread]