bug#19991: 24.3; insecure design or else bug: gpg passphrase persists when emacs is closed and re-opened

bug#19991: 24.3; insecure design or else bug: gpg passphrase persists when emacs is closed and re-opened

[Ed Green]

--text follows this line--
This bug report will be sent to the Bug-GNU-Emacs mailing list
and the GNU bug tracker at debbugs.gnu.org.  Please check that
the From: line contains a valid email address.  After a delay of up
to one day, you should receive an acknowledgment at that address.

Please write in English if possible, as the Emacs maintainers
usually do not have translators for other languages.

Please describe exactly what actions triggered the bug, and
the precise symptoms of the bug.  If you can, give a recipe
starting from `emacs -Q':

--- BUG REPORT BEGINS HERE

I opened emacs24 in xubuntu 14.04 with command "emacs&". In dired, I
opened a gpg-encrypted file. I was prompted to supply my passphrase,
after which the unencrypted text was displayed. I did not click the box
labelled "Automatically unlock this key, whenever I'm logged in".

Next, I closed emacs by clicking the 'x' in the corner of the window. I
opened emacs in a new process with "emacs&". Again in dired, I opened a
different gpg-encrypted file. The unencrypted text was immediately
displayed, without my being prompted for a passphrase.

Only after I re-booted the computer, was I again required to provide a
passphrase in order to display decrypted text of an encrypted file. (I 
did so again, and repeated the test just described, prior to writing 
this message.)

There is no notification of this behavior of the program, either on
screen or in any documentation that I have been able to find.

Users reasonably believe that, after they close emacs, data
(including a passphrase) entered in a session will be lost. But even a
user who is sufficiently prudent to close emacs after reading an 
encrypted file will
unwittingly expose all of his/her encrypted files to being read by
someone else who is able to open emacs (even remotely, I guess) on the
computer, until the next time that it is re-booted. I've been using 
emacs for a long time to read encrypted files, without realising until 
now that they were being potentially exposed in that way.

It seems preferable that this behavior should be changed, so that a
passphrase supplied during an emacs session will be over-written in
computer memory when the emacs process is terminated--and especially so
that the passphrase is not automatically used when emacs is subsequently
run---unless possibly the user has deliberately elected to make the 
passphrase to persist. (I wouldn't personally recommend that users be 
offered that risky option.) At the very least, if the current behavior 
is retained, then a clear, prominent warning about it should be given.

By the way, would it also be desirable to over-write computer memory 
assigned to emacs buffers containing decrypted files when the buffers 
are closed (including when the program is closed with such a buffer open)?

--- BUG REPORT ENDS HERE

If Emacs crashed, and you have the Emacs process in the gdb debugger,
please include the output from the following gdb commands:
     `bt full' and `xbacktrace'.
For information about debugging Emacs, please read the file
/usr/share/emacs/24.3/etc/DEBUG.


In GNU Emacs 24.3.1 (x86_64-pc-linux-gnu, GTK+ Version 3.10.7)
  of 2014-03-07 on lamiak, modified by Debian
Windowing system distributor `The X.Org Foundation', version 11.0.11501000
System Description:	Ubuntu 14.04.2 LTS

Configured using:
  `configure '--build' 'x86_64-linux-gnu' '--build' 'x86_64-linux-gnu'
  '--prefix=/usr' '--sharedstatedir=/var/lib' '--libexecdir=/usr/lib'
  '--localstatedir=/var/lib' '--infodir=/usr/share/info'
  '--mandir=/usr/share/man' '--with-pop=yes'
 
'--enable-locallisppath=/etc/emacs24:/etc/emacs:/usr/local/share/emacs/24.3/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/24.3/site-lisp:/usr/share/emacs/site-lisp'
  '--with-crt-dir=/usr/lib/x86_64-linux-gnu' '--with-x=yes'
  '--with-x-toolkit=gtk3' '--with-toolkit-scroll-bars'
  'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fstack-protector
  --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall'
  'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro'
  'CPPFLAGS=-D_FORTIFY_SOURCE=2''

Important settings:
   value of $LANG: en_US.UTF-8
   locale-coding-system: utf-8-unix
   default enable-multibyte-characters: t

Major mode: Lisp Interaction

Minor modes in effect:
   tooltip-mode: t
   mouse-wheel-mode: t
   tool-bar-mode: t
   menu-bar-mode: t
   file-name-shadow-mode: t
   global-font-lock-mode: t
   font-lock-mode: t
   blink-cursor-mode: t
   auto-composition-mode: t
   auto-encryption-mode: t
   auto-compression-mode: t
   line-number-mode: t
   transient-mark-mode: t

Recent input:
<escape> x r e p o r t - <tab> <return> u n s a f e
SPC e n c r y p t i o n SPC b e h a v i o r <return>
<help-echo> <help-echo> <down-mouse-1> <mouse-2> C-x
k <return> y e s <return> C-x 0 C-x k <return> <escape>
x r e p o r t - e <tab> <return>

Recent messages:
Checking 35 files in /usr/share/emacs/24.3/lisp/erc...
Checking 24 files in /usr/share/emacs/24.3/lisp/emulation...
Checking 74 files in /usr/share/emacs/24.3/lisp/emacs-lisp...
Checking 12 files in /usr/share/emacs/24.3/lisp/cedet...
Checking 30 files in /usr/share/emacs/24.3/lisp/calendar...
Checking 44 files in /usr/share/emacs/24.3/lisp/calc...
Checking 40 files in /usr/share/emacs/24.3/lisp/obsolete...
Checking 1 files in /usr/share/emacs/24.3/leim...
Checking for load-path shadows...done
Auto-saving...

Load-path shadows:
/usr/share/emacs/24.3/site-lisp/debian-startup hides 
/usr/share/emacs/site-lisp/debian-startup

Features:
(browse-url help-mode shadow sort gnus-util mail-extr emacsbug message
format-spec rfc822 mml easymenu mml-sec mm-decode mm-bodies mm-encode
mail-parse rfc2231 mailabbrev gmm-utils mailheader sendmail rfc2047
rfc2045 ietf-drums mm-util mail-prsvr mail-utils time-date tooltip
ediff-hook vc-hooks lisp-float-type mwheel x-win x-dnd tool-bar dnd
fontset image regexp-opt fringe tabulated-list newcomment lisp-mode
register page menu-bar rfn-eshadow timer select scroll-bar mouse
jit-lock font-lock syntax facemenu font-core frame cham georgian
utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean
japanese hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese case-table epa-hook jka-cmpr-hook help simple abbrev
minibuffer loaddefs button faces cus-face macroexp files text-properties
overlay sha1 md5 base64 format env code-pages mule custom widget
hashtable-print-readable backquote make-network-process dbusbind
dynamic-setting system-font-setting font-render-setting move-toolbar gtk
x-toolkit x multi-tty emacs)

bug#19991: 24.3; insecure design or else bug: gpg passphrase persists when emacs is closed and re-opened

[Tassilo Horn]

Ed Green <eug2@psu.edu> writes:

Hi Ed,

> I opened emacs24 in xubuntu 14.04 with command "emacs&". In dired, I
> opened a gpg-encrypted file. I was prompted to supply my passphrase,
> after which the unencrypted text was displayed. I did not click the
> box labelled "Automatically unlock this key, whenever I'm logged in".
>
> Next, I closed emacs by clicking the 'x' in the corner of the window. I
> opened emacs in a new process with "emacs&". Again in dired, I opened a
> different gpg-encrypted file. The unencrypted text was immediately
> displayed, without my being prompted for a passphrase.

I guess that's not related to Emacs but instead the GPG Agent cached the
passphrase, and the second file you opened was encrypted with the same
public key as the former file.  By default, the GPG Agent caches
passphrases for two hours:

,----[ (info "(gnupg)Agent Options") ]
| '--max-cache-ttl N'
|      Set the maximum time a cache entry is valid to N seconds.  After
|      this time a cache entry will be expired even if it has been
|      accessed recently or has been set using 'gpg-preset-passphrase'.
|      The default is 2 hours (7200 seconds).
`----

Bye,
Tassilo