linux passwords in configuration files

3

1

Some programs on linux that use configuration files, want me to enter my password in plain text in one of their configuration files. For example newsbeauter, the rss reader wants me to enter my google account password in a ~/.newsbeauter/config if I want to read google reader feeds. Mutt also sort of wants a password in a text file, but gives an option of entering it on every login.

Is there any secure workaround to storing a password in a config file like that (eg for newsbeauter)? I was thinking of running the app as root, but that doesn't seem right. Or somehow creating and deleting the file everytime I use the app.

Any ideas?

user33124

Posted 2010-04-03T04:58:00.063

Reputation:

Answers

4

Tweaking permissions will not protect against an adversary who has access to your disks (stolen laptop).

You cannot protect against an adversary that has root on your running system, but you can protect yourself against a stolen disk, or various not-too-smart malicious software, with these two techniques:

  • Set up a small encrypted filesystem (use dm-crypt or truecrypt, for instance), then replace your config files with symbolic links that point to some place in the encrypted partition. This is simple to deploy, but puts you at risk when the encrypted fs is mounted

    mount encrypted fs under /mnt/crypt
cp ~/.application/config /mnt/crypt/app-config
ln -s /mnt/crypt/app-config ~/.application/config
unmount encrypted fs to lock config

  • Replace your config files with named pipes (mkfifo). That will only work well if the application reads the config in a single pass; upon startup, the app will block on reading the config file, until you write it in the named pipe. You can then store an encrypted version of the file somewhere else (use for instance gpg); when required, decrypt the contents with gpg and send it on the fly to the pipe. This is a bit safer as you must allow by hand each access to the file, but is maybe less convenient.

     # setup
 gpg -e -r my-address@domain.com <~/.application/config ~/.application/config.pgp
 mkfifo ~/.application/config
 # run application, application hangs waiting for config
 gpg -d <~/.application/config.pgp >~/.application/config

b0fh

Posted 2010-04-03T04:58:00.063

Reputation: 2 005

2

Running non-critical software as root is almost never a good idea.

What you should do instead is change the permissions of these files so that only you (the user who is running these programs) can read them. To remove e.g. read, write and execution permission for anybody but you on a file mine.conf, you would under your accout

chmod og-rwx mine.conf

Benjamin Bannier

Posted 2010-04-03T04:58:00.063

Reputation: 13 999

0

Or another trick is to put the config file inside a directory but take away the read permissions for this too so that you can't see inside just do

chmod a-r whatever/

So that you can only see inside it if you are root, or you can just remember what the file is called too, but you would still be able to do everything to the file inside, as long as you know the file name or if you are root, to do

sudo ls whatever/

lavamunky

Posted 2010-04-03T04:58:00.063

Reputation: 314

Asked: 2010-04-03T04:58:00.063

Viewed: 2 876 times

Active: 2013-09-17T12:25:16.207