Security of Pueue logs

[DmitrySorda]

A detailed description of the feature you would like to see added.

Hi,

I'm concerned about the security of Pueue logs. The logs could contain sensitive data, so I'm wondering if there is a way to encrypt them.

Is there currently a way to encrypt Pueue logs? If not, would it be possible to add this feature in the future?

Thanks, SorDA

Explain your usecase of the requested feature

security of Pueue

Alternatives

No response

Additional context

No response

[Nukesor]

It's not possible to encrypt the logs, but proper encryption would be hard to accomplish.

Let's consider a few attacker scenarios:

Same system

If an attacker gains access to your logs on the same system, you're pretty much screwed anyway. The attacker will have access to ~/.local/share and thereby also to ~/.config, where your secret is located to communicate with the daemon. Once they've access to the daemon, they can just read the logs via talking with it.

I don't see a way to prevent an attacker from log access in this scenario.

Physical drive extraction

This is the only scenario that I can come up with, where encryption would be beneficial. An attacker gets physical access to your PC/Server, shuts down the system, extracts the drive and searches the drive for logs.

This scenario is covered by disk encryption, which should be the default if you care about security anyway.

---

I don't think that this is something I want to cover. Most production systems don't encrypt their logs, even though they may have critical data inside of them. Those logs are usually only protected via read/write permissions, which is also what pueue's filesystem approach ensures (unless your environment has improper permissions, but this is a user error).

Maybe I overlooked a scenario?

[Nukesor]

Ping @DmitrySorda

[DmitrySorda]

I apologize for the delayed response. I may be overly concerned about this. My use cases are very basic, and I cannot provide scenarios where log protection would be genuinely necessary. Considering how challenging it is to implement without justification, I am not prepared to support my proposal with valid arguments. I am simply impressed by the increasing number of hacks and leaks of personal data, security data, keys, passwords, and other sensitive information for individuals and businesses.

[Nukesor]

Don't worry.

I just don't think encryption is something Pueue should take care off. If pueued is called via TCP, there's a secret + TLS encryption, which makes this more than safe enough. If pueued is called via unix sockets, the socket is protected via file permissions and the secret on top of it.

Pueue's logs are by default protected by file permissions, unless the user makes the files explicitly readable to other users.

And as long as users properly encrypt their devices, which many OSs do by default these days (as they should), there's no problem either.

If anyone uses pueue to run commands that output sensitive information, I expect them to think about the repercussions of doing so, to check their user permissions (which is something everybody should do) and to encrypt their drives (which is also something everyone should do).