mirror of
https://github.com/xpipe-io/xpipe.git
synced 2024-11-22 07:30:24 +00:00
128 lines
7 KiB
Markdown
128 lines
7 KiB
Markdown
# Security
|
|
|
|
Due to its nature, X-Pipe has to handle a lot of sensitive information.
|
|
This can range from passwords for all kinds of servers, to SSH keys, and more.
|
|
Therefore, the security model of X-Pipe plays a very important role.
|
|
|
|
This document summarizes the approach of X-Pipe when it comes to the security of your sensitive information.
|
|
If any of your questions are left unanswered by this document, feel free to file an
|
|
issue report so your question can be answered individually and can also potentially be included in this document.
|
|
|
|
## Reporting a security vulnerability
|
|
|
|
If you believe that you found a security vulnerability in X-Pipe,
|
|
you can make use of
|
|
the [private security report feature](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability)
|
|
of GitHub.
|
|
|
|
## Security assumptions
|
|
|
|
The general assumption is that the system on which X-Pipe runs on is not badly infected.
|
|
This refers to your local system on which you installed X-Pipe, not any remote systems that you then connect to.
|
|
If your local system is infected to an extent where malicious programs can modify the
|
|
file system and other installed programs like X-Pipe,
|
|
then there is no technical way of preventing malicious programs to also infect X-Pipe and the connected systems as well.
|
|
|
|
Any underlying remote connection command-line program should be secure.
|
|
If for example your SSH connection is susceptible to MITM attacks, or
|
|
vulnerable in any other way, there is no way for X-Pipe to keep the sensitive information secure.
|
|
As X-Pipe completely outsources any connection handling to your command-line tools,
|
|
it is your responsibility to keep them up to date with security patches and more.
|
|
X-Pipe can only be as secure as your underlying command-line tools itself.
|
|
|
|
## Data security and privacy
|
|
|
|
The general approach of X-Pipe can be summarized as follows:
|
|
|
|
- Any sensitive information should be kept as secure as possible exclusively on your local machine,
|
|
both while X-Pipe is running and also not running
|
|
- When sensitive information is required on another remote system that is connected through X-Pipe, that information
|
|
should be transferred and
|
|
remain there as briefly and securely as possible
|
|
- No sensitive information should be sent to any other server outside your network of trusted connections
|
|
|
|
### Storage of sensitive information
|
|
|
|
All X-Pipe data is exclusively stored on your local machine at `~/.xpipe/storage`.
|
|
You can choose to change this storage location in the settings menu.
|
|
|
|
All sensitive information is encrypted when it is saved to disk on your local machine using AES
|
|
with either:
|
|
|
|
- A custom master lock key that can be set by you in the settings menu
|
|
(This option is only as secure as the password you choose)
|
|
- A somewhat dynamically generated key (This option can be reverse
|
|
engineered though, there is no way of perfectly securing your data without any custom key)
|
|
|
|
It is also planned that you will be able to
|
|
source passwords and more directly from other external sources such as password managers in the future.
|
|
|
|
### Passing of sensitive information
|
|
|
|
When any kind of login information is required by a command-line program, it has to be passed to it somehow.
|
|
If the program runs on your local system, the data does not leave your local system.
|
|
If login information is required on a remote system, then that data must be transferred to that remote system.
|
|
|
|
In case a program accepts password input via stdin, this process is relatively straightforward.
|
|
Then the passed sensitive information is just written into the stdin of the program and does not show up in any history or file system.
|
|
|
|
When a program only accepts password input via an environment variable or an askpass program,
|
|
a self deleting password supplier script file is generated by X-Pipe.
|
|
This script contains the encrypted password and will supply
|
|
the password to the target program exactly once when invoked and immediately deletes itself afterwards.
|
|
This behavior ensures that there is no leftover password script after an operation is performed.
|
|
As a secondary measure, for cases in which the calling program crashes
|
|
and is not able to execute the script and therefore doesn't delete the password script,
|
|
the generated script directory is also frequently cleaned.
|
|
As a result, no sensitive information of yours should show
|
|
up in any kind of shell history or on any file system.
|
|
|
|
### The purpose of shell scripts
|
|
|
|
Whenever you open a remote connection in a terminal from X-Pipe, you will notice that your terminal shows
|
|
the name of a script located in your temp directory in the title bar to indicate that you're currently executing it.
|
|
The naming scheme of these scripts is usually something like `xpipe/exec-<id>.(bat|sh|ps1)`
|
|
This is intended as these scripts contain all commands that are required
|
|
to realize the functionality of connecting and initializing the shell environment.
|
|
These scripts do not contain any sensitive information,
|
|
you are free to inspect them yourselves in the temp directory.
|
|
|
|
In case a script connects to a remote system and passes login information to a program via variables or askpass
|
|
programs,
|
|
it automatically becomes useless after being invoked once (See [above](#passing-of-sensitive-information)).
|
|
As the script is run immediately after it is created initially, e.g.
|
|
when using the `Open in terminal` functionality, it becomes useless pretty much
|
|
instantly so any attacker doesn't obtain any sensitive information from it.
|
|
|
|
### Logging
|
|
|
|
By default, X-Pipe creates log files located in `~/.xpipe/logs`.
|
|
Under normal conditions these log files do not contain any sensitive information.
|
|
If you choose to alter the log level in the settings menu or launch X-Pipe in debug mode,
|
|
these log files will contain a lot more and finer grained information, some of which might be sensitive.
|
|
|
|
### Issue reports
|
|
|
|
Whenever an error occurs within X-Pipe or you choose to open the error reporter dialog,
|
|
you have the option to automatically send an error report with optional feedback and attachments.
|
|
This error report does not contain any sensitive information unless
|
|
you explicitly choose to attach debug mode log files (See above).
|
|
|
|
## Isolation
|
|
|
|
Any infected remote system should be isolated enough such that any infection can't spread through X-Pipe.
|
|
|
|
### User isolation
|
|
|
|
All relevant files like configuration files and other required temporary files
|
|
are only accessible by the current user.
|
|
Any other user on a system can't read or write them unless they have root/Administrator privileges.
|
|
|
|
### Isolation of remote systems
|
|
|
|
When you add a remote system as a host within X-Pipe, it is implicitly assumed that you trust this system.
|
|
Any required login information is sent to and handled on that remote host when required,
|
|
so it would be possible for malicious program with sufficient privileges to obtain any information sent to that host.
|
|
This would require an attacker to be able to access files of the user that is used to log into the remote system.
|
|
It should however not be possible for any malicious program on the remote host to obtain
|
|
other information stored by X-Pipe that is not explicitly sent to that host.
|