Re: [misc] calcurse-caldav CALCURSE_CALDAV_PASSWORD security
- Date: Fri, 8 Nov 2019 20:36:06 -0500
- From: Marco Sirabella <marco@xxxxxxxxxxxxx>
- Subject: Re: [misc] calcurse-caldav CALCURSE_CALDAV_PASSWORD security
> The calcurse-caldav script is not a service. It is used on the client
> side and usually only runs for a couple of seconds, so the probability
> of an attacker gaining access on that machine, seeing the process and
> extracting information before it terminates is practically zero.
> If the script is launched *after* the attacker has access to the
> machine, the attacker might as well use a key logger to get the password
> store master password and gain access to much more information.
> Also, as you mentioned in the original email, it's not that hard to
> obtain a full memory dump of a process either, so we'd not gain all that
> much by using memory instead of an environment variable, do we?
> Unfortunately, I think we also can't remove that variable from memory
> after use since it's essentially required for every request we're
> sending to the CalDAV server.
> Feel free to share your thoughts on this!
Thanks for your timely response!
You've made good points, it's probably overkill to include a password command
option or something.
Thanks for your help alleviating my worries