Re: correct way to clear sensitive data from env?

[Giancarlo Razzolini]

Em 24-10-2015 09:07, Stuart Henderson escreveu:
> I don't understand why openvpn doesn't just allow passing the 
> username/password on a file descriptor to the authentication command.
> That would avoid the permission problems with via-file and the unsafe
> nature of via-env.

I don't understand it either. From my point of view, the OpenVPN project
has slowed down a lot on the past few years. Coincidentally, it's
commercial solution, didn't.

> so did Tamas, it's in ports.

Good to know. I don't think my code still compiles against newer OpenVPN
versions.

Cheers,
Giancarlo Razzolini

Re: correct way to clear sensitive data from env?

[Stuart Henderson]

On 2015-10-23, Giancarlo Razzolini  wrote:
> Em 23-10-2015 12:14, Tamas TEVESZ escreveu:
>> case in point: openvpn passing username/password in the environment to 
>> openvpn_bsdauth.
>>
>> so there's actually a bit of a sensitive data in env that current 
>> wisdom rightly tends to want to junk as soon as possible.

I don't understand why openvpn doesn't just allow passing the 
username/password on a file descriptor to the authentication command.
That would avoid the permission problems with via-file and the unsafe
nature of via-env.

I don't think there's anything you can do inside openvpn_bsdauth to 
prevent it from being seen with ps -e (but you do need root for that).

> I wrote many years ago an openvpn plugin that would use getpwnam instead
> of that PAM crap. I believe it's still around on sourceforge.

so did Tamas, it's in ports.

Re: correct way to clear sensitive data from env?

[Giancarlo Razzolini]

Em 23-10-2015 12:14, Tamas TEVESZ escreveu:
> case in point: openvpn passing username/password in the environment to 
> openvpn_bsdauth.
>
> so there's actually a bit of a sensitive data in env that current 
> wisdom rightly tends to want to junk as soon as possible.
I wrote many years ago an openvpn plugin that would use getpwnam instead
of that PAM crap. I believe it's still around on sourceforge.
openvpn-auth-passwd if I recall correctly. I developed it specifically
because it would work on OpenBSD and also on any platform that works
with getpwnam. I can look it up if you want, but I don't even know if it
compiles with recent OpenVPN code.

Cheers,
Giancarlo Razzolini

correct way to clear sensitive data from env?

[Tamas TEVESZ]

hi,

case in point: openvpn passing username/password in the environment to 
openvpn_bsdauth.

so there's actually a bit of a sensitive data in env that current 
wisdom rightly tends to want to junk as soon as possible.

getenv(3) states, "If getenv() is successful, the string returned 
should be considered read-only.", operative word being "should".

what's the correct way to deal with this (specifically on openbsd if 
there are any facilities that help here, as well as on other 
systems perhaps)?

thanks,

-- 
[-]

mkdir /nonexistent

Re: correct way to clear sensitive data from env?

[Theo de Raadt]

> case in point: openvpn passing username/password in the environment to 
> openvpn_bsdauth.
> 
> so there's actually a bit of a sensitive data in env that current 
> wisdom rightly tends to want to junk as soon as possible.
> 
> getenv(3) states, "If getenv() is successful, the string returned 
> should be considered read-only.", operative word being "should".
> 
> what's the correct way to deal with this (specifically on openbsd if 
> there are any facilities that help here, as well as on other 
> systems perhaps)?

Clearing the string is pointless, it is a race that it can still be
observed!

You should restructure it to move data over a socket/pipe.