Closed breadtk closed 3 years ago
This issue is similar to #75 in as far as the warning message can be confusing to some.
Your revised warning message misses the point. Writing to a world accessible file has already happened and as such, the key may be compromised already. The only safe course of action in that case would be setting the umask appropriately and generating a new key.
Also setting the umask to 0400
as you suggest would not lead to the desired result, the file would still be world accessible, I'm guessing you're confusing umask with mode, something that was already mentioned in #75:
$ umask 0400
$ age-keygen > ~/mysecret
$ ls -lha ~/mysecret
--w-rw-rw- 1 tharre tharre 45 Oct 12 03:40 ~/mysecret
I cannot think of a better warning message for redirecting to a file, but perhaps the correct thing to do here is just to tell the user to use age-keygen -o
instead, and hope the ones that really need redirection already know what they're doing?
Writing to a world accessible file has already happened and as such, the key may be compromised already
I see your point, but don’t let perfect be enemy of the good. It’s unlikely for a key to be leaked from the time that the write occurs and when the permission is fixed (assuming the user event wants to do that). If an attacker has a hook on arbitrary write()
calls, then the user likely has larger concerns to contend with.
..setting the umask to 0400 as you suggest would not lead to the desired result...I'm guessing you're confusing umask with mode...
You are correct, I was confusing the two. I'll edit the original post accordingly.
I cannot think of a better warning message for redirecting to a file, but perhaps the correct thing to do here is just to tell the user to use age-keygen -o instead
If the purpose of the 2nd error line is to inform the user that the key has already likely leaked (something I disagree with per above), then perhaps a better warning message would be:
Warning: writing key to a world-readable file. Consider deleting the key, setting umask to 066, and then running age-keygen again.
Or:
Warning: writing private key to a world-readable file. Consider fixing the file's permission and run age-keygen again.
Or (my preferred):
Warning: writing your private key to a world-readable file.
If an attacker has a hook on arbitrary write() calls, then the user likely has larger concerns to contend with.
If the attacker indeed has user-level access already (because it's a multi user system or he exploited a non-root daemon or whatever) then he can trivially hook any write() call on any files that are readable to him via the linux inotify API. There are no special additional capabilities needed for this attack.
What were you trying to do
Redirect the STDOUT output from
age-keygen
to a file.What happened
A warning message that suggested failure has occurred. It notes: "...and trying again" when it actually generated a key and wrote it out successfully.
Suggestion
Change the warning message to be something more helpful like: