Open flosnvjx opened 2 years ago
Command line args are also visible via top, a program running under a different user could call the syscalls top uses to monitor other processes and watch for your key as a command line arg.
I sent a fix for this issue in pull request #182.
In current implementation (otp.bash#L360) of pass-otp, when generating pincodes, the implementation use a command line argument to pass the
$otp_secret
to external binaryoathtool
.The problem with this approach is, in strictly managed environment, things like audit log is usually enabled (e.g. enabled for
exec*
syscall, which is quite common in enterprise server/thin-client environment), arguments to invoke external binary may written to syslogd, which is possibly stored in unencrypted form in terms of on-disk sectors and sudoers (privileged sysadmins). The manual ofoathtool(1)
also point out this:This also applies to some consumer-level single user runtime, like Termux on Android (things like
logcat
may get uploaded to OS vendor. Note that Termux also havepass-otp
packaged in their repository). It should have fairly no drawback if switched to pipe appoarch instead.