LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 05-29-2019, 12:32 PM   #1
dale2k9
LQ Newbie
 
Registered: Jan 2016
Posts: 6

Rep: Reputation: Disabled
I want to create a virtual file - looks and acts like a file but is an app


I want to create something that may not exist - but is likely possible with enough Linux code.

I have a config file for an app that requires a plain text password - isn't that crazy in 2019 that serious enterprise apps would require storing a password in plain text? What I'd like to do, and this would be very handy for this problem and a lot of others, is to have a file link to an app. The app would mimic the file system functions so that you could open, edit, delete, create, etc. just like a file but I could render the contents out of an app that could handle encryption behind the scenes.

This would allow encryption of any config or data from an app even if the app was encryption unaware. Of course there's a million other useful things that could be done with such a tool.

Does anything like that exist today?
 
Old 05-29-2019, 12:45 PM   #2
hydrurga
LQ Guru
 
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 19.1 MATE
Posts: 8,018
Blog Entries: 5

Rep: Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870
Why don't you place the software's stored data within an encrypted container which you have to mount/decrypt before you run the application, and unmount afterwards (I use VeraCrypt for similar). That way, the data will remain encrypted when the application is not running. Of course, if it's an application that runs all the time, or for a significant percentage of it, and someone accesses the machine while it is, they will have access to the container contents.

Auto unmounting on logout/shutdown is a useful tool, as is creating a script that does the mounting for you (asking you for the encryption password) and runs the application, then dismounts when the application terminates.
 
Old 05-29-2019, 01:47 PM   #3
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,467

Rep: Reputation: 2313Reputation: 2313Reputation: 2313Reputation: 2313Reputation: 2313Reputation: 2313Reputation: 2313Reputation: 2313Reputation: 2313Reputation: 2313Reputation: 2313
Surley if the application requires a plaintext password then any "app" you create needs to provide a plaintext password when "read", thus defeating the object.
The ideas above look good -- look to what you want to protect against.
 
Old 05-29-2019, 01:51 PM   #4
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,384
Blog Entries: 3

Rep: Reputation: 2184Reputation: 2184Reputation: 2184Reputation: 2184Reputation: 2184Reputation: 2184Reputation: 2184Reputation: 2184Reputation: 2184Reputation: 2184Reputation: 2184
A named pipe might do some of what you are aiming for. See "man mkfifo" for details.
 
1 members found this post helpful.
Old 05-29-2019, 02:11 PM   #5
dale2k9
LQ Newbie
 
Registered: Jan 2016
Posts: 6

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by 273 View Post
Surley if the application requires a plaintext password then any "app" you create needs to provide a plaintext password when "read", thus defeating the object.
The ideas above look good -- look to what you want to protect against.
You're right about the app providing the plain-text. This issue exists with all encryption. Anyone who has access to an encrypted directory, or any directory on an encrypted drive, etc., will get the plain text but it keeps the plain text from being stored at rest. But the beauty of my idea (and maybe the beauty is only skin deep) is that the app can read an encrypted file for the password or could call a web service for the password or have a custom provider dropped in that gets the password from an enterprise password store.

A big gap in too many enterprise apps, even brand new ones, is that they hard-code password access or management into the app. Apps shouldn't care where or how it gets passwords, as long as they get them when needed. In my opinion, password access should always be a plug-in or drop-in solution with, perhaps, a default encrypted file storage solution - or even default plain-text file solution as long as there's a way to replace that in production. Some apps have that; most don't.

Almost all large enterprises have a password management solution with various means, RPC, REST, local caches, etc., for retrieving passwords. There's no single solution or standard so plugins should be the standard password access for every enterprise app. But, of course, it is not.

So my idea makes plugin password management available to any app that at least gets passwords from any text file. Or plugin access to any data coming from a file - programmatic dynamic startup configuration for millions of apps. If there's nothing that does it now then it could be a challenge but it's not impossible. Probably involves extending a file system and acceptance into a supported Linux file system. Maybe more trouble than it's worth but, across all of Linux, maybe not.
 
1 members found this post helpful.
Old 05-29-2019, 02:14 PM   #6
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,467

Rep: Reputation: 2313Reputation: 2313Reputation: 2313Reputation: 2313Reputation: 2313Reputation: 2313Reputation: 2313Reputation: 2313Reputation: 2313Reputation: 2313Reputation: 2313
Ah, so you have thought about this! I'll continue thinking about this and hope you find a solution. the name "Kerberos" comes to mind from my Windows exposure.
 
1 members found this post helpful.
Old 05-29-2019, 02:20 PM   #7
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,384
Blog Entries: 3

Rep: Reputation: 2184Reputation: 2184Reputation: 2184Reputation: 2184Reputation: 2184Reputation: 2184Reputation: 2184Reputation: 2184Reputation: 2184Reputation: 2184Reputation: 2184
Quote:
Originally Posted by 273 View Post
Ah, so you have thought about this! I'll continue thinking about this and hope you find a solution. the name "Kerberos" comes to mind from my Windows exposure.
That is another route. Kerberos and kerberized applications predate M$ Windows by a decade or two, depending on how you measure. Check MIT Kerberos or Heimdal Kerberos for documentation.
 
2 members found this post helpful.
Old 05-29-2019, 05:40 PM   #8
dale2k9
LQ Newbie
 
Registered: Jan 2016
Posts: 6

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
That is another route. Kerberos and kerberized applications predate M$ Windows by a decade or two, depending on how you measure. Check MIT Kerberos or Heimdal Kerberos for documentation.
Kerberos would have to be written into the insecure applications. Some of the apps requiring plain-text passwords stored in files are open sourced and I could write mods and submit pull requests for each one, hoping the committers like my idea. But that wouldn't help on closed-source apps. Honestly, I can't believe people are still writing and selling apps with insecure password management or that my company is still buying them, and I'm looking at ways around it.
 
Old 05-29-2019, 09:09 PM   #9
jefro
Moderator
 
Registered: Mar 2008
Posts: 19,423

Rep: Reputation: 2998Reputation: 2998Reputation: 2998Reputation: 2998Reputation: 2998Reputation: 2998Reputation: 2998Reputation: 2998Reputation: 2998Reputation: 2998Reputation: 2998
A hardware key may work. I'd think to be somewhat secure you'd need some form of two party authentication if I get this all correctly. Encryption with a self signed key may also work.
 
Old 05-29-2019, 10:41 PM   #10
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,384
Blog Entries: 3

Rep: Reputation: 2184Reputation: 2184Reputation: 2184Reputation: 2184Reputation: 2184Reputation: 2184Reputation: 2184Reputation: 2184Reputation: 2184Reputation: 2184Reputation: 2184
Quote:
Originally Posted by jefro View Post
A hardware key may work.
The are called Hardware Security Modules (HSM) and tend to be pricey, but might be relevant.
 
Old 05-30-2019, 01:56 AM   #11
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 13,223
Blog Entries: 9

Rep: Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617
Quote:
Originally Posted by dale2k9 View Post
I have a config file for an app that requires a plain text password - isn't that crazy in 2019 that serious enterprise apps would require storing a password in plain text?
i question this.
name the "serious enterprise" app - and why you can't use a secure alternative.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: OnePlus Accidentally Pre-Installed an App that acts as a Backdoor to Root Access LXer Syndicated Linux News 0 11-14-2017 09:40 AM
last row of Open Office Writer 4.2.7.2 build 2 table looks and acts corrupted 1sweetwater! Linux - Software 1 12-04-2014 10:27 PM
when i try to start firefox it acts like its going to start but then stops loading. krrish Red Hat 3 08-22-2007 08:32 AM
Any Linux browser acts like IE? chriscyl Linux - General 22 08-05-2002 10:49 AM
Any Linux browser acts like IE ? chriscyl Linux - Newbie 3 08-03-2002 07:05 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 01:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration