[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: KDE setuid root programs
From:       Lars Knoll <knoll () mpi-hd ! mpg ! de>
Date:       1998-07-27 13:53:12
[Download RAW message or body]

On Mon, 27 Jul 1998, Christian Esken wrote:
>On Mon, 27 Jul 1998 Lars Knoll wrote:
>>>Getting back to reality: pgp manpage explicitely *warns* from using the
>>>env var method. OK, now we can dump env-vars, and we cannot
>>>use the command line switch. But I have a new solution, I found
>>>something in the manpage:
>>>
>>>Create a "-rw------" mode file, for example /tmp/passphrase_file_xyz
>>>and write the passphrase into it. Set PGPPASSFD to the file descriptor
>>>of this file. This seems to be a good method to protect the passphrase.
>>>
>>>It's just important to delete the file before creating it (to exclude some
>>>special cases with special file flags). After creating the file, permission
>>>and ownership of the file should be checked. Only when everything
>>>goes well the passphrase should be written to the file.
>>>
>>>
>>>Explanation: pgp, when forked will inherit the fd's from the parent
>>>process (kmail). Any comments, Stefan?
>>This is the way. You can set the environment variable PGPPASSFD
>>to a file descriptor containing the passphrase. When I made the first
>>implementation of the pgp support for kmail I didn't know of this 
>>possibility. It was quite well hidden in the docs. The new
>>implementation I made (which unfortunately came to late for kde1.0)
>>uses this way. But instead of using temporary files (which leave traces
>>on the harddisk), I used pipes, which works very well.
>>See ftp://xpc56.mpi-hd.mpg.de/pub/kde/pgp for the implementation (which
>>does also support pgp5.0).
>
>Great! Is there an easy way to put the stuff into the KDE1.0 kmail?
Just get the patch against kdenetwork-1.0 (or the patched
kdenetwork-1.0) from the location given above. I would be glad to hear
some reports (success/bug or about remaining security holes) about the
implementation.

Lars

[prev in list] [next in list] [prev in thread] [next in thread]