Re: [misc] calcurse-caldav CALCURSE_CALDAV_PASSWORD security

Hi Lukas,

> The calcurse-caldav script is not a service. It is used on the client
> side and usually only runs for a couple of seconds, so the probability
> of an attacker gaining access on that machine, seeing the process and
> extracting information before it terminates is practically zero.
> 
> If the script is launched *after* the attacker has access to the
> machine, the attacker might as well use a key logger to get the password
> store master password and gain access to much more information.
> 
> Also, as you mentioned in the original email, it's not that hard to
> obtain a full memory dump of a process either, so we'd not gain all that
> much by using memory instead of an environment variable, do we?
> Unfortunately, I think we also can't remove that variable from memory
> after use since it's essentially required for every request we're
> sending to the CalDAV server.
> 
> Feel free to share your thoughts on this!

Thanks for your timely response!

You've made good points, it's probably overkill to include a password command
option or something.

Thanks for your help alleviating my worries

-- 
Marco Sirabella

Links