search

mhogomchungu / zuluCrypt

zuluCrypt is a front end to cryptsetup and tcplay and it allows easy management of encrypted block devices
https://mhogomchungu.github.io/zuluCrypt
Other
495 stars 61 forks source link

zuluCrypt-gui not honoring environment setting ${TMP} #213

Open cto741 opened 3 weeks ago

cto741 commented 3 weeks ago

While trying to mount a Truecript container as a normal user I saw in the debug window a command: -f "/tmp/zuluCrypt-0/878313608" I am still working this out.

I have several environment variables set to point TMP to $HOME/tmp rather than the communal /tmp folder. Is there some (obscure?) security reason why zuluCrypt is not honoring the environment variable ${TMP}?

e.g.: TMPDIR=/home/user/tmp TMP=/home/user/tmp TEMPDIR=/home/user/tmp TEMP=/home/user/tmp

mhogomchungu commented 3 weeks ago

In my system, temporary directory is set to "/tmp", I will set the project to get temp path from env variable.

[ink@localhost ~]$ env | grep  tmp
SESSION_MANAGER=local/localhost.localdomain:@/tmp/.ICE-unix/3429,unix/localhost.localdomain:/tmp/.ICE-unix/3429
SSH_AUTH_SOCK=/tmp//ssh-XXXXXX3sZ5XV/agent.2537
TMPDIR=/tmp/
GCONF_TMPDIR=/tmp
TMP=/tmp/
DBUS_SESSION_BUS_ADDRESS=unix:path=/tmp/dbus-yDBrrrrr,guid=fdddddddd
[ink@localhost ~]$
cto741 commented 3 weeks ago

Thanks for the reply. Setting TMP to be ${HOME}/tmp rather than /tmp has been a security recommendation for some time (circa 1993-ish but probably before that). The ones I listed above I have found to be those used by most programs. Technically, this may be out of date, the old skewel variable was: TMP=/path; export TMP . TEMP/TEMPDIR are influences of Microsoft.

mhogomchungu commented 3 weeks ago

Mhhhh, yes there is "obscure" security reason.

/tmp/zuluCrypt-0/878313608 is a socket path and zuluCrypt-gui running from your user account is using it to send credentials to zuluCrypt-cli running from root's account. The socket path is read when zuluCrypt-cli has limited capabilities and it is failing to read the socket path when it is in user home directory. For this to work, zuluCrypt-cli has to run with elevated privileged when accessing the socket path.

cto741 commented 3 weeks ago

I am new to zuluCrypt so don't have a understanding/map of zuluCrypt and how it mounts file based containers so this is Apples and Oranges here I know but...

I am using KeePassXC-2.7.8-x86_64.AppImage and in my $HOME/tmp folder: srwx------ 1 user user 0 Jun 13 22:22 keepassxc-user.socket

I am also using tmux. ls -l /home/user/tmp/tmux-1000 drwx------ 2 user user 62 Jun 5 11:47 . drwx------ 265 user user 16384 Jun 14 11:06 .. srwxrwx--- 1 user user 0 Jun 5 11:47 hw01 srwxrwx--- 1 user user 0 Jun 5 11:47 local01 srwxrwx--- 1 user user 0 Jun 5 11:47 vm01 user@host:~$ ls -l /bin/tmux -rwxr-xr-x 1 root root 692192 Jan 31 2023 /bin/tmux

I remember now where setting TMP to ${HOME}/tmp came from. Screen back in the 90s to improve security.

If I am mounting a VCC image for myself in /run/media/private/user/user-archive-data.vcc shouldn't the default permissions on my $HOME/tmp/zuluCrypt-1000/socket be all that is needed? How about $HOME/mnt/user-archive-data.vcc if you need SU privileges for creating things in /run/media/private/user .

However this probably explains why zuluCrypt is not working for me.