Information Security
password-management gnupg sudo npm
Updated Thu, 08 Sep 2022 14:25:19 GMT

How to securely use `pass`, `sudo`, and `npm` on the same machine


TL;DR: running npm i ... not long after pass my-password allows a malicious package to steal my entire password store.


I use pass as a password manager, on Linux. And like probably all Linux users, I use sudo to run commands as root.

The first time I retrieve a password with pass my-password, I need to type the passphrase of my GPG private key. Then, the GPG agent will keep this passphrase in memory for a few minutes.

Same with sudo: running a few consecutive sudo commands will only ask for the password once.

Now, when I install packages with npm install ... (or with Pip, or any other package manager), these packages can contain scripts that can be run.

This poses an incredibly dangerous security issue: if I run npm install ... not long after I ran pass, a malicious package could steal the entire content of my password store. Same issue with sudo. Even more incredible: it's very hard to find people on the interned who care about it.

The first solution that comes to my mind is to set the timeout for the GPG agent and sudo to 0.

Another one is to open every projects I work on in a development container (a docker container), to prevent scripts in it to access my home folder. But it would require to constantly create containers for new and existing projects, which can take quite some time.

Can you think of any other solution?




Solution

running npm i ... not long after pass my-password allows a malicious package to steal my entire password store

Yes, but not just that. Running npm i ... at any time before pass my-password allows a malicious package to steal your entire password store. A malicious package can inject code somewhere (for example the pass executable or a library that it uses) so that whenever sensitive data becomes accessible, the malicious entity will have access to it as well.

As soon as an environment is compromised, it's game over.

The only solution is to run untrusted code in an isolated environment.

(Mind you, why are you installing development packages you don't trust? Are they somehow secure enough for the users of the product you're developing, but not for yourself?)





Comments (2)

  • +0 – Thanks for your answer. It's true that as soon as the environment is compromised, there is not much to do to save it. To answer your question: the packages I download are going to be used in a web app. For my users, these packages will be executed in a web browser, which is a safe and sandboxed environment. For me however, these packages can simply do anything as soon as I install them. — Jul 20, 2022 at 07:10  
  • +0 – So it appears to me that NPM is too open and I'm wondering why it hasn't been made more secure by default, for instance by preventing execution of scripts at install, unless explicitly authorised. But as mentioned in a comment above, it has probably been done to allows ease of usage, to the detriment of security. — Jul 20, 2022 at 07:12  


External Links

External links referenced by this document: