From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Ihor Radchenko Newsgroups: gmane.emacs.devel Subject: Re: Storing sensitive data indefinitely in variables or buffers: Whether and how to fix? Date: Wed, 31 May 2023 08:02:53 +0000 Message-ID: <87fs7dnd1u.fsf@localhost> References: Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="38897"; mail-complaints-to="usenet@ciao.gmane.io" Cc: emacs-devel@gnu.org To: Jens Schmidt Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed May 31 10:00:01 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1q4GkT-0009uH-Ee for ged-emacs-devel@m.gmane-mx.org; Wed, 31 May 2023 10:00:01 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1q4GjW-0005FU-96; Wed, 31 May 2023 03:59:02 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q4Gj7-0005ER-R1 for emacs-devel@gnu.org; Wed, 31 May 2023 03:58:38 -0400 Original-Received: from mout02.posteo.de ([185.67.36.66]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q4Gj5-00042V-Jc for emacs-devel@gnu.org; Wed, 31 May 2023 03:58:37 -0400 Original-Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 0F98F240105 for ; Wed, 31 May 2023 09:58:31 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1685519911; bh=cfGPq/RWU0zJ83zxWC7/t24Hq8/1Q7lbG/+5ukJBRVA=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:From; b=EiCvQG08PBQmlWi0rhvp+Hjkh8JYDFOoLOThSYN2uE8lGcaLxrXdHZZ2zU/jJKBQ5 uJSX7LVwudJJOgqLkoDxJmYkFF/hqbQVBFy3YkeySrPSOiVUmJhTnshGJZ6VtYPIXc xYzkxfksP/fGVljRL0gsWQ1AUNMipHBKuFBLjwhq4fxZJBMsmlAEAr8vFX5W0bWHyv 4/cTqpn2K2FANyRimqysRJFmQTkhOm3YOmzQhy1/j5Tj+QD+o3rxpB5XE707tj5EQg tZb9pFKCZ7PiM6WbbIp8hWqzaORGzJl08hbJgTvCoJbf8fXuyU6eoPbv4SBy6TbQQn CpEyYO9ZSOOhQ== Original-Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4QWM8Q4YS1z6tyJ; Wed, 31 May 2023 09:58:30 +0200 (CEST) In-Reply-To: Received-SPF: pass client-ip=185.67.36.66; envelope-from=yantar92@posteo.net; helo=mout02.posteo.de X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:306434 Archived-At: Jens Schmidt writes: > plstore.el stores clear-text sensitive data in a number of places in a > running emacs without automatically expiring it as, for example, > password-cache does. To add on the issue, we had a somewhat similar problem related to org-persist library that stores cached data. https://list.orgmode.org/orgmode/CAM9ALR8fuSu0YWS1SehRw7sYxprJFX-r2juXd_DgvCYVKQc95Q@mail.gmail.com/ Within that thread, a concern have been raised about storing data related to files from encrypted file system. Even the file names (for example, stored by recentf) from encrypted FS may be considered sensitive if they are stored as plain text. I have considered two approaches there: 1. Expiry, when the data may persist within Emacs session, but is never written on disk. 2. Encrypting the stored data (similar to .authinfo.gpg) > 1. As usually, fixing these decreases convenience. Is that OK? IMHO, at least some people are extremely sensitive about storing sensitive data in plain text. I'd say that it is better to avoid storing sensitive data in plain text by default. Possibly, with a toggle to enable such risky storage for users who know what they are doing. -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at . Support Org development at , or support my work at