Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place! |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
01-14-2017, 12:13 PM
|
#1
|
Senior Member
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127
Rep: 
|
Overwriting a variable in memory
Simply put, if I change the contents of a variable from within a bash script will that action overwrite the ACTUAL memory location where the variable was initially stored?
The script prompts me for a passphrase then uses the passphrase to unlock and mount two LUKS partitions. If I then execute PASS="a long string of rubbish..." will the value of the original passphrase still be in memory? Is there a better way to "wipe" the value from memory?
TIA,
Ken
|
|
|
01-14-2017, 12:22 PM
|
#2
|
Senior Member
Registered: Jun 2010
Location: Wiltshire, UK
Distribution: Void, Linux From Scratch, Slackware64
Posts: 3,207
|
It depends on the internals of bash, it will probably allocate space on the heap when creating the variable, large enough to hold the data and any internal data it needs, when the variable changes it may reuse that memory if the new value uses less data than the old one, more probably it will release the memory back to the heap then allocate more memory for the new data, this will leave the old data in memory until the memory is re-allocated to some other process or bash itself and it would then be overwritten, but how long it will stay intact in memory is un-knowable.
|
|
|
01-14-2017, 01:40 PM
|
#3
|
Senior Member
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127
Original Poster
Rep: 
|
Thanks Keith Hedger,
That is what I suspected.
Ken
|
|
|
01-14-2017, 05:39 PM
|
#4
|
Senior Member
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,908
|
Quote:
Originally Posted by Keith Hedger
It depends on the internals of bash, it will probably allocate space on the heap when creating the variable, large enough to hold the data and any internal data it needs, when the variable changes it may reuse that memory if the new value uses less data than the old one, more probably it will release the memory back to the heap then allocate more memory for the new data, this will leave the old data in memory until the memory is re-allocated to some other process or bash itself and it would then be overwritten, but how long it will stay intact in memory is un-knowable.
|
Well, it won't be reallocated to another process. Any memory released to the kernel (unlikely) is zeroed before allocation to the alternate process.
But environment variables will remain within bash - but are retrievable by the debugger that may connect to the bash process.
This is one of the limitations of shell programming - they are NOT designed for security operations.
|
|
|
01-20-2017, 12:55 PM
|
#5
|
Senior Member
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127
Original Poster
Rep: 
|
Thanks jpollard and pardon my delay in responding to your reply. When I ran the script I received a message scolding me about unsecure memory and asking me if I was root. It appears that I need to run the script as root. Perhaps root's use of memory is different?
Ken
|
|
|
01-20-2017, 06:08 PM
|
#6
|
Senior Member
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,908
|
Quote:
Originally Posted by taylorkh
Thanks jpollard and pardon my delay in responding to your reply. When I ran the script I received a message scolding me about unsecure memory and asking me if I was root. It appears that I need to run the script as root. Perhaps root's use of memory is different?
Ken
|
Nope. The insecurity is inherent in shell programming.
It takes special effort to write applications that are secure - and none of them are done in a shell script. Possibly the best (IMO) is Perl - you can turn on the security option that will then track variables and signal when known insecurity occurs (a "taint" mode to detect insecure usage). This doesn't prevent security issues, but it does try to identify when they occur.
|
|
|
01-20-2017, 06:50 PM
|
#7
|
Senior Member
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127
Original Poster
Rep: 
|
OK. Suppose I manually enter at the command line
Quote:
cryptsetup luksOpen /dev/disk/by-uuid/e3581441-2eb3...
|
and enter the passphrase when prompted. Is the passphrase left floating in RAM somewhere? I believe I have read that the actual key used to decrypt the partition remains in memory so I wonder if the passphrase is a bigger vulnerability?
|
|
|
01-21-2017, 07:40 AM
|
#8
|
Senior Member
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,908
|
I believe the setup protects the passphrase by bypassing the shell when the prompt is presented (going through /dev/tty directly, the same way that passwd protects changing passwords), then once the passphrase is used to decrypt the decryption key the phrase is discarded by clearing the memory within the cryptsetup tool.
The decrypted key is protected by the kernel so that access to the data is possible.
|
|
|
All times are GMT -5. The time now is 11:23 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|