=== chris14_ is now known as chris14
=== chris14_ is now known as chris14
* chromebittin is listening to this years first episode09:28
marler8997Hello, I'm trying to understand what security libsecret provides over files with 0700 permissions.  It seems like all processes running as the current user can access all secrets, so does it actually add any security?18:29
JanCthe point is that only the current user can access them, yes, without needing to implement N different ways to access different storage backends18:46
JanCalso, without needing to learn how to use dbus, etc.18:47
mdeslaurit protects against offline attacks, and ensures that the crypto being used is reasonable instead of having each app do their own, etc.18:49
mdeslaurand you get a single unlock with a pam module18:50
mdeslaurbut it definitely doesn't protect a user against themselves18:50
marler8997it would only protect against "offline attacks" if libsecret is secured with a password right?  (My understanding is implementation can choose to do this or not)18:51
marler8997cool, thanks for the help/info18:53
JanCthe "daemon" could (in theory, at least) also ask for a "global" password on every access, instead of unlocking it on login, or set other access policies, so it's not _necessarily_ true that all processes can access it at will  :)18:58
JanCand it can apparently also access passwords on a TPM, etc.18:59
ahasenackthis is a bit odd, for a testcase, I populated a directory with a pattern of files that has some that should be excluded, some that shouldn't. But the warning I get is only about some of the exclusions, not all of them: https://pastebin.ubuntu.com/p/Q5gSfmdQh4/20:09
ahasenackI do verify in the test that the output of apparmor_parser -p does NOT contain any of the exclusions, so it's working20:09
ahasenackit's just the "Ignoring: ..." warning sent to stderr by apparmor_parser that doesn't mention the missing ones20:09
ahasenackI thought since they are not from dpkg file formats (pacman, rpm, etc), maybe we patched something out, but I couldn't find it20:10
georgiagahasenack: I believe that's expected. some of them are silently ignored: https://gitlab.com/apparmor/apparmor/-/blob/master/libraries/libapparmor/src/private.c#L65 20:24
georgiagthe last parameter is 1 if silently ignored20:24
georgiagI just don't know the reason :D20:24

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!