Thanks for taking the time to report this bug and helping to make Ubuntu
better. This is not a bug, but rather expected behavior:
https://wiki.ubuntu.com/SecurityTeam/FAQ#gnome-keyring
Please feel free to report any other bugs you may find.
** Information type changed from Private Security to Public
** Changed in: gnome-keyring (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gnome-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1913584
Title:
passwords openly readable from gnome-keyring-daemon
Status in gnome-keyring package in Ubuntu:
Invalid
Bug description:
I'm using Lubuntu 20.04 and just configured a command line mail client
(mutt / neomutt) to access an imap mailbox, and to avoid storing the
password as plaintext in the .muttrc, I used the recommended method
like
set imap_pass = "`secret-tool lookup login mailaddress`"
to retrieve the password from the gnome-keyring. When the gnome-
keyring is accessed for the first time in a session, a requester
prompts for the keyring password, since passwords are stored encrypted
in ~/.local/share/keyrings.
But then, once the keyring password had been entered at the beginning
of a session, because it has been used in the intended way, the
keyring remains open for the rest of the desktop session (possibly for
a very long time), enabling any other program that can launch secret-
tool as a sub process or access the dbus , can read that password.
So virtually this is, once logged in, not any more secure that storing
the password in a regular file with mod 0600, i.e. not more secure
than writing the password directly into the .muttrc. It's just a
slight improvement sind files are not stored in plaintext on disk (but
the disk should be encrypted anyways).
Is that intended?
What's the point in using a 'keyring daemon', if it is not more secure
than a regular file, and just any program can read the passwords?
After all, it is usually a central design requirement for
password/secret storage programs (such as keepass), that other
programs (which, under regular user sessions, cannot access the RAM of
other running processes) cannot access the passwords without users
explicit consent. It's a violation of the idea of a password safe, if,
once open, any program can read it just like any file.
regards
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: gnome-keyring 3.36.0-1ubuntu1
ProcVersionSignature: Ubuntu 5.4.0-60.67-generic 5.4.78
Uname: Linux 5.4.0-60-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu27.14
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: LXQt
Date: Thu Jan 28 14:14:49 2021
InstallationDate: Installed on 2020-06-12 (229 days ago)
InstallationMedia: Lubuntu 20.04 LTS "Focal Fossa" - Release amd64 (20200423)
SourcePackage: gnome-keyring
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1913584/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
