Re: dropbox security situation

To: debian-user@lists.debian.org
Subject: Re: dropbox security situation
From: Celejar <celejar@gmail.com>
Date: Wed, 11 Dec 2019 13:52:24 -0500
Message-id: <[🔎] 20191211135224.ab32560fca38fa7bb223bbb3@gmail.com>
In-reply-to: <[🔎] jwvv9qmx35z.fsf-monnier+gmane.linux.debian.user@gnu.org>
References: <[🔎] alpine.NEB.2.21.1912071158190.26808@panix1.panix.com> <[🔎] 07122019203529.4a2ba73a3549@desktop.copernicus.org.uk> <[🔎] alpine.NEB.2.21.1912071643220.12775@panix1.panix.com> <[🔎] 07122019220045.e913ec2b4cb4@desktop.copernicus.org.uk> <[🔎] alpine.NEB.2.21.1912071819060.3711@panix1.panix.com> <[🔎] 87immrdj4p.fsf@dhh.gt.org> <[🔎] LvadeHz--3-1@tuta.io> <[🔎] 20191209075626.518058c3@jhegaala.localdomain> <[🔎] 157590549515.966557.13274790693691709138@auryn.jones.dk> <[🔎] 20191209141056.e4a10fc07fd13b58206dba9e@gmail.com> <[🔎] 09122019192232.0562d392f0d5@desktop.copernicus.org.uk> <[🔎] 20191209183546.991f71f4e4a61985fab19f2a@gmail.com> <[🔎] jwvv9qmx35z.fsf-monnier+gmane.linux.debian.user@gnu.org>

On Wed, 11 Dec 2019 11:07:48 -0500
Stefan Monnier <monnier@iro.umontreal.ca> wrote:

> > I use full disk encryption (cryptsetup / LUKS), so the password file
> > is secure at rest, and when I'm actually using the system, if
> > gpg-agent is used, then anyone with access to the machine can access
> > the password file anyway.
> 
> That assumes a single-user situation.  But in case someone manages to
> run code on your machine as some user other than yourself and root, then
> they will have access to most of your files, but not to your gpg-agent
> (and hence not to your gpg-encrypted files).

Can't this just be avoided by chmoding sensitive files to 600 (which
things like ssh recommend / require anyway)?

> Also, gpg-agent voluntarily forgets the passwords after some timeout, so
> even if someone gets access to your machine as your user or as root,
> they may still be unable to decrypt your gpg files if enough time has
> passed and gpg-agent has forgotten your password.

Yes, I acknowledged this point in my original email:

> machine can access the password file anyway. I guess one gets some
> additional security in the case where one walks away from
> the machine and leaves it running (and an attacker doesn't get there
> before gpg-agent evicts the password from the cache), and similar cases.

Celejar

Reply to:

References:
- dropbox security situation
  - From: Jude DaShiell <jdashiel@panix.com>
- Re: dropbox security situation
  - From: Brian <ad44@cityscape.co.uk>
- Re: dropbox security situation
  - From: Jude DaShiell <jdashiel@panix.com>
- Re: dropbox security situation
  - From: Brian <ad44@cityscape.co.uk>
- Re: dropbox security situation
  - From: Jude DaShiell <jdashiel@panix.com>
- Re: dropbox security situation
  - From: John Hasler <jhasler@newsguy.com>
- Re: dropbox security situation
  - From: <l0f4r0@tuta.io>
- Re: dropbox security situation
  - From: Charles Curley <charlescurley@charlescurley.com>
- Re: dropbox security situation
  - From: Jonas Smedegaard <jonas@jones.dk>
- Re: dropbox security situation
  - From: Celejar <celejar@gmail.com>
- Re: dropbox security situation
  - From: Brian <ad44@cityscape.co.uk>
- Re: dropbox security situation
  - From: Celejar <celejar@gmail.com>
- Re: dropbox security situation
  - From: Stefan Monnier <monnier@iro.umontreal.ca>

Prev by Date: Re: dropbox security situation
Next by Date: printing on a remote usb printer
Previous by thread: Re: dropbox security situation
Next by thread: Re: dropbox security situation
Index(es):
- Date
- Thread