[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    KMail/PGP security bug (?)
From:       "Jacek Konieczny" <jajcus () zeus ! polsl ! gliwice ! pl>
Date:       1998-07-11 15:40:57
[Download RAW message or body]

Hi,

A great (although not well documented) feature of kmail is use of PGP.
But there is a problem. KMail passes PGP secret key's passphrase as command
line argument. 
So any user logged on the same machine as person using PGP feature of kmail
can get his passphrase using such simple script:

while true; do ps aew | grep pgp | grep -v grep; done

He can even put it in background and store passphrases in some file.

Unfortunately I don't know any easy and secure solution to this
(environment variables doesn't seem much more secure).

Maybe pipe to PGP.

This bug should be fixed or some warning to user should be displayed. I
know it is too late for KDE 1.0, but maybe in first bug-fix release.

Greets,
    Jacek
--
+---------+--------------------------------------------------------+
!      ,  !            Jacek Konieczny, Gliwice, Poland            !      
! Jajcus  ! email: jajcus@zeus.polsl.gliwice.pl, jajcus@polbox.com !
!         ! ICQ# 7149127                           WWW: none (yet) !
+---------+--------------------------------------powered-by-Linux--+

[prev in list] [next in list] [prev in thread] [next in thread]