This commit refactors the handling of password input by eliminating
all intermediary programs and relying only on ZSh, hence improving
overall security against rootkits and such.
Also the way sudo is used is now greatly simplified and there is no
privilege escalation at boot: sudo is executed inside Tomb by being
prefixed in front of those programs needing it.
All tests passed.
swish-e now creates a .swishrc config file inside the tomb so that
users can tweak its configuration by hand.
whoami() is also cleaned up, pending a fix for slackware usage.
A tempfile was often used by Tomb in order to parse the stderr output of
gpg and detect if the password is correct or not. The tempfile was not
holding any secret information (see #162) yet this is an improvement for
Tomb's deniability since there is now much less going on in the temp
firectory.
Added the --tmp flag for manual selection of the temporary directory, whose security should really be up to sysadmins when configuring operating systems. Default is ZSh TMPPREFIX usually set to /tmp/zsh which, if not existing, will be created as world writable with a sticky bit.
This commit also includes a cleanup of commandline options and a fix to swap check.
Now there is no more writing of cleartext secrets in any tempfile,
the last case was in setkey and is now eliminated. Tempfile creation
is cleaner. Related to issue #162
Using the 'cleartext' name for a key will read it from stdin and
expect it to be unencrypted. This is an unsafe mode of operation,
but useful i.e. to open remote tombs by piping the key over ssh,
or using a different software than Tomb to de/crypt keys.
This commit also renames the flag --unsecure-dev-mode into --unsafe
and includes a minor fix to the last opened date shown on open.
Addressing issue #161
after fixing issue #154 with echo here we revert to using print with
options -R -n which sort the same effect. Print is preferred since it
executes the built-in command without any possible ambiguity. We don't
want to expose secrets to an external executable in case of a simple
attack that would change the env PATH to use a rootkitted echo.
Switched to use echo with -E flag to disable escapes in keys: escape
strings were discarded cryptsetup tomb operations when they were present
in the decoded key random passphrase. Issue #154
The solution adopted here includes wrapping all cryptsetup operations to
unify the behaviour adopted.
Worth noting that this problem possibly breaks all tombs and keys
created using the unstable Tomb from git development in the past 2
months. Regression tests with previous stable releases are OK.
Adds a new `_print` function to print strings without coloring or
other stuff added by the `_msg` function. It's used for the usage
message, letting it be translated.
The usage messages have been split into one-line strings, and added
back to the tomb.pot and *.po files.
Issues:
`gettext -s - "$2"` prints the -, instead of getting the desired effect
The custom expansion missed repeated variables in a single string
Some string fixes
This refactoring avoids writing of keys on filesystem, exception made
for the 'setkey' command. Loopfiles and tempfiles are automatically
wiped at exit, variable are filled with random data before unset.
includes a working loopback and tempfile cleanup in endgame()
and several changes in order to avoid saving anything on disk
WIP addressing #124 and #126
this change uses an hidden global variable within tomb to store the
decrypted key material, avoiding using one tempfile in RAM, avoiding
running the decryption more than once (which means sanity for KDF
usage) and overall simplifying the code also avoiding duplicates.
The tomb mount is now readable by the opening uid only (711 r-x--x--x);
directory access is preserved to allow sharing access to certain subdirs.
Review and fix contributed by Morten Langlo
refactoring of the code using ask_key_password for better support
of dev-mode password supplied from CLI. This also fixes all uses of
passwd command to change a key's password.
ultimately removing the case in which we guess if the key is near
the tomb: that is not anymore in documentation and we stop encouraging
to keep the key near the tomb.
a grave bug has been affecting 1.3 and 1.3.1 releases, which makes keys
created with those versions incompatible with other Tomb versions.
This bug is now fixed and Tomb should be able again to open old tombs.
A script to sanitize keys will be released soon.
Backup simply encodes a QRCode that can be print on paper and
hidden in books or so, to keep phisical backups of keys.
The QR can be simply scanned with any smartphone, saved into a file
and reused as a key.
With the advent of a proper test suite many bugs were found and
squashed both in the way KDF and steghide were used.
Key validation func is_valid_key() now attempts recovery for keys
that have broken headers or are naked text (back-compat to old exhume).
KDF and steg now work correctly.
GnuPG 1 changes behaviour across 1.4.11 and 12 minor versions
when it comes to --status-fd and messaging on stderr/stdout.
This is a fix to make sure that gpg output is parsed correctly
last minute bug slipped in: it doesn't recognizes correct passwords
in some strange situations where gnupg doesn't returns correctly
(for instance when a .gnupg dir is not found in home)
This commit doesn't changes anything substantial in the code,
but reorganizes it in foldable units (we use folding.el) and
fixes its markup for literate code documentation using our own
fork of shocco.
now keys are verified in load_key() honoring commanline args
ask_key_password() will challenge user verifying using gnupg
drop_key() should be called after key has been used
this commit removes quite som duplicate code in password handling.
This commit re-organizes all the source distribution contents to
present users with the simple script, while moving the rest in extras.
Also autoconf/automake scripts were removed, back to minimalism.
The rationale of this change is that Tomb really only consists of a
script and users with no extra needs should just be presented with
it with no need for anything else. Any other thing on top of the Tomb
script is an extra and can be even distributed separately or integrated
in distributions.
