Tool to find sensitive info with no standard locations? #4169
matthew-cline
started this conversation in
Ideas
Replies: 1 comment
-
This sounds more complex than it would be useful. Whitelisting profiles are likely not affected by this and blacklisting profiles are weak enough that this is not that important IMHO. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
GitHub's command line tool can take an authorization token (similar to a password) from the environment (see issue #4157). As rusty-snake noted, even if these are removed with
rmenv
a sandboxed app might be able to read the file that contains the value of the token. Since there's no standard place to put such files, a profile can't block access to those files.I've been working on a tool which looks through the environments of a user's processes (
/proc/<PID>/environ
) and if it finds any known variables which contain sensitive info it tries to find the files they're in, and if it finds them runs a script in firejail sandboxes with various profiles to see if those files are blocked or not. Currently it usesstrace
on a login instance of a bash shell to get a list of files to look through (though that can be expanded on). If it can't find the files the sensitive data it from it informs the user and lets them add the file's location to a config file and try again.So, is this on the right track? Or maybe it should be cut down to just alerting the user if it finds environmental variables containing sensitive info? Or what?
Beta Was this translation helpful? Give feedback.
All reactions