Re: [misc] calcurse-caldav CALCURSE_CALDAV_PASSWORD security

Hi Marco!

On Fri, 08 Nov 2019 at 17:24:10, Marco Sirabella wrote:
> This is [marginally more secure](https://stackoverflow.com/q/12461484) than
> just sticking it in a text file, as `/proc/$pid/environ` will contain the
> password passed through.
> 
> Is the purpose of this feature for security? Or is it just a convenience to use
> with a password manager?

It was added to support password managers and avoid storing the password
in plaintext, so I guess the answer to both questions is "yes".

> I would hope to see something like "caldav password command", which the
> application then runs itself and stores the password in it's own memory (which
> arguably can still be recovered, just harder)

Thanks for offering your help with this. I'd first like to understand
which potential scenario you're trying to address, though.

The calcurse-caldav script is not a service. It is used on the client
side and usually only runs for a couple of seconds, so the probability
of an attacker gaining access on that machine, seeing the process and
extracting information before it terminates is practically zero.

If the script is launched *after* the attacker has access to the
machine, the attacker might as well use a key logger to get the password
store master password and gain access to much more information.

Also, as you mentioned in the original email, it's not that hard to
obtain a full memory dump of a process either, so we'd not gain all that
much by using memory instead of an environment variable, do we?
Unfortunately, I think we also can't remove that variable from memory
after use since it's essentially required for every request we're
sending to the CalDAV server.

Feel free to share your thoughts on this!

Lukas

Links