:password customize type (was: :file keyword for Customize)

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

:password customize type (was: :file keyword for Customize)

From:	Ted Zlatanov
Subject:	:password customize type (was: :file keyword for Customize)
Date:	Mon, 12 May 2008 08:13:35 -0500
User-agent:	Gnus/5.110011 (No Gnus v0.11) Emacs/23.0.60 (gnu/linux)

On Sat, 10 May 2008 06:17:43 +0900 "Stephen J. Turnbull" <address@hidden> 
wrote: 

SJT> Ted Zlatanov writes:
>> Please consider my actual use cases that substantiate the need for
>> separate custom files.  If you think they are not generally
>> applicable, fine, but don't use hyperbole to derail the discussion.

SJT> Your security use case clearly substantiates the need for separate
SJT> files, but also pretty much rules out the use of customize in my
SJT> opinion.  For example, use of customize to customize authentification
SJT> information almost certainly will leave that information in memory,
SJT> for root, somebody who has compromised your account, or a core dump to
SJT> access in clear.

Yes, a :password type is needed for sure, so Emacs can treat it
specially.  In addition to the visuals (don't display it when it's
entered), it could ask for two fields and make sure they are the same.
I couldn't find proposals of a :password type when I searched, and the
ELisp manual doesn't have it.  Has this been discussed before?  It could
also be :secret, indicating that not just passwords qualify.

I know little of the Emacs internals but I'd guess this has to be
implemented in the C core.

IMO worrying about root compromises is futile.  If an attacker has root
on your machine, scrambling memory contents is useless.  The :password
custom type should maybe scramble things with a simple symmetric cipher
(to protect against memory dumps), but anything more is
overkill.

OTOH, file contents are permanent and much more susceptible to
compromise, so encryption is always a good idea if the information is
sensitive.  Also, if the file name is well-known, it's much easier to be
compromised.  Mozilla/Firefox for instance save profiles in a
hard-to-guess directory, so casual attackers will have a harder time
finding secret data.  Similarly in the case of Emacs, it would be nice
if the user could decide on a hard-to-guess location for sensitive data
while keeping the main custom file accessible, which comes back to
Drew's :file proposal.  Maybe it's enough to have just two custom files:
one for regular data, one for secret data?

Ted

[Prev in Thread]

Current Thread

[Next in Thread]

Re: :file keyword for Customize, (continued)
- Re: :file keyword for Customize, David Kastrup, 2008/05/08
  - RE: :file keyword for Customize, Drew Adams, 2008/05/08
    - Re: :file keyword for Customize, Jason Rumney, 2008/05/08
    - RE: :file keyword for Customize, Drew Adams, 2008/05/08
    - Re: :file keyword for Customize, David Kastrup, 2008/05/08
    - Re: :file keyword for Customize, David Kastrup, 2008/05/08
  - Re: :file keyword for Customize, Ted Zlatanov, 2008/05/09
    - Re: :file keyword for Customize, David Kastrup, 2008/05/09
    - Re: :file keyword for Customize, Ted Zlatanov, 2008/05/09
    - Re: :file keyword for Customize, Stephen J. Turnbull, 2008/05/09
    - :password customize type (was: :file keyword for Customize), Ted Zlatanov <=
- Re: :file keyword for Customize, Richard M Stallman, 2008/05/09
- Re: :file keyword for Customize, Paul R, 2008/05/13
  - Re: :file keyword for Customize, Stefan Monnier, 2008/05/13
  - Re: :file keyword for Customize, Miles Bader, 2008/05/13

Prev by Date: Re: 23.0.60; tool bar icons missing or executing wrong commands
Next by Date: Re: 23.0.60; tool bar icons missing or executing wrong commands
Previous by thread: Re: :file keyword for Customize
Next by thread: Re: :file keyword for Customize
Index(es):
- Date
- Thread