SecretService client authorisation for short-lived processes

[nbarrientos]

Hi,

If I understand correctly, since 2.7.0, apps requesting secrets via SecretService have to be authorised to do so, either every time a secret request is issued (Allow Selected) or permanently (Allow All and Future). I understand the value of this feature which strengthens KeepassXC's security.

However, in my case isync uses secret-tool to retrieve the password of my IMAP account, with something along the lines of:

PassCmd "/usr/bin/secret-tool lookup host mail.example.org account joe@example.org"

The issue now is that every run of the mail sync process creates a new secret-tool process so KeypassXC asks interactively for authorisation to deliver the secret. I imagine that the SecretService implementation is designed to save the PID or other fingerprint of a running process and whitelist it and does not have short-lived processes in mind (just a guess, sorry, I haven't looked at the implementation details).

As you can imagine, this is a bit cumbersome. I've set for the time being ConfirmAccessItem=false, however maybe it'd be nice to have more fine grained authorisation rules like: "all requests coming from a process with binary /usr/bin/secret-tool and parent /usr/bin/mbsync are authorised to retrieve secret A". I'm rather happy with ConfirmAccessItem=false as, if I recall correctly, it restores the behaviour of the previous version of KeepassXC however, does my proposal make any sense to you?

Thanks.

[droidmonkey]

Hmmm, I could imagine remembering the process stack instead of, or in addition to, pid. This would let you remember that a specific process was using secret-tool to request credentials. Perhaps could be a special case for secret-tool only.

[nbarrientos]

Yup, in my case it might be tricky because it's systemd spawning mbsync via a service unit and a timer so the only "resident" process to remember/authorise in the tree would be systemd --user which is a bit too generic. Ideally, for me having a way to define a rule to allow any requests from /usr/bin/secret-tool (any PID) invoked by /usr/bin/mbsync (any PID) would be perfect.

Indeed as you're suggesting an alternative would be to handle /usr/bin/secret-tool as a special case and add another config option to always authorise new /usr/bin/secret-tool processes, regardless of the parent or process stack.

[CrfzdPQM6]

I had the same problem using secret-tool to provide login to a caldav server. Another oddity is that every time an access request is triggered, keepass first insists on unlocking all databases that are in tabs within the KeePassXC application, and only then goes to the one (that was in scope at first) that has the Secret Service access available. I only encountered this before when another tab was active, different to the one that had the Secret Service integration.

[droidmonkey]

It is 'dangerous' to trust secret-tool implicitly because any adversary or malicious program would be using it to harvest credentials. So this is a hard problem to solve correctly.

[jonasc]

It is 'dangerous' to trust secret-tool implicitly because any adversary or malicious program would be using it to harvest credentials. So this is a hard problem to solve correctly.

Could a slightly more secure way be to have dedicated scripts which only access a specific entry? Like /usr/bin/local/get-mail-pwd as

#!/usr/bin/bash
exec secret-tool lookup Uuid <my-uuid-here>

This script could, for additional security, check whether it is called by the right script (e.g. by examining /proc/$PPID/exe and /proc/$PPID/cmdline).

#!/usr/bin/bash
[[ $(readlink "/proc/$PPID/exe") == /usr/bin/mbsync ]] || exit 1
exec secret-tool lookup Uuid <my-uuid-here>

Obviously this script should not be writable as that would defeat the security improvement.

[Aetf]

Isn't this #6458?

[droidmonkey]

Somewhat, perhaps a special case for explicit approvals of secret-tool parent process.

[Aetf]

To special handle secret-tool we have to figure out a way to identify secret-tool. Obviously just checking for
/usr/bin/secret-tool isn't reliable due to reasons in #6458.

[droidmonkey]

Well you leave it up to the user, just detect the process name (not path):

Warning: It looks like a process is using secret-tool, be sure you trust the parent process calling it before allowing.