Concerns that gpg (GnuPG) could be maliciously used in order to encrypt users files

A

Anxious

New Member
Joined
Nov 18, 2022
Messages
6
Reaction score
5
Credits
91
I’m newbie here, so my question is probably a very naive one, but I still would like your advice.
I’m using Ubuntu 22.04 as my personal desktop computer and discovered (on the web) that it is possible to encrypt a file without having to fill in the passphrase window.

For example:

echo "My secret passphrase" | gpg --pinentry-mode loopback --passphrase-fd 0 -c somefile.txt

will silently encrypt the file without opening the passphrase window. That is, a malicious script (bash, python, …) running with simple user permissions could be designed in order to encrypt every file in the $HOME folder, without giving any notice. Isn’t it a bit dangerous???

Since I’m a bit anxious by nature, I changed the permissions to the gpg executable as follows:

sudo chmod u=rwx,g=,o= /usr/bin/gpg

Which means that only root can execute gpg. And it works. For the moment, I couldn’t find any reason to switch back to the original -rwxr-xr-x permissions. I can surf the web, log in and out, update, … Everything seems to be OK. The only drawback is that now, I have to log in as root, in a console, in order to encrypt a file which is not a big deal (note: I rarely do it).

My questions are the following:

1) Is it a very naive and completely ineffective approach to the problem of malicious encryption?

2) May I encounter problems in the future due to the restriction I imposed on these permissions?


Best regards
 


G'day @Anxious and welcome to linux.org :)

I find this to be an intriguing question and I have no idea on the answer.

I believe this might be better placed in Linux Security so I am moving it there. Getting Started is more for people who are looking for help getting Linux installed.

There, I am hoping some of our key players will respond, such as @JasKinasis , @dos2unix and others.

Cheers

Chris Turner
wizardfromoz
 
You should not change executable permissions as you may be compromising other scripts of the system, dependent on them. Also, encrypting the gpg executable does nothing in practice, because there are countless of libraries for virtually any programming language that would execute the same or similar encryption algorithms.

But, to your question: yes. But encryption is the least of your preoccupations. Most of your system can be used with malicious purposes.

Malicious scripts exist, and if you run what you should not run, bad things can happen. It can be encrypting your information, but also sending it to a third party server, listening to keyboard events to get credit card numbers and so on, reading the contents of the clipboard, for the same reason, using your computer as part of a botnet, or as a proxy to do crimes and incriminate you...

The idea is the following: Linux is a quite secure system, but the weakest link (the user) can be tricked into running obscure scripts, downloading tainted packages from dodgy sources, opening attachments tampered with executable code, and many other things. All these won’t work normally, but if the library that process, let’s say, images, has a vulnerability that allow code to be injected, then we’d have a problem (these attacks in particular where a payload comes in an image or another innocent information, are called steganography attacks )

What you need to do is to stay vigilant, check the software provider's GPG signatures and the checksums if you download software manually (package managers to this by default), and develop secure behaviour. Just by being conscious as you already are, and doing those little things mentioned, you’ll be more than fine and you’ll be much more difficult to exploit than the 99% of the people.

And for the ultimate security check you can always install clamav to do scans here and there, or upload a package or script to Virus Total (https://www.virustotal.com).
 
Last edited:
Hello @Anxious,
Welcome to the Linux.org Forums. :)
I'm not an expert in the matter but I do not use Java on my machines as it has proven to be a vector for malicious scripts.
You would do well to read this blog also Security on linux
 
Last edited:
gvisoc said:
You should not change executable permissions as you may be compromising other scripts of the system, dependent on them. Also, encrypting the gpg executable does nothing in practice, because there are countless of libraries for virtually any programming language that would execute the same or similar encryption algorithms.

But, to your question: yes. But encryption is the least of your preoccupations. Most of your system can be used with malicious purposes.

Malicious scripts exist, and if you run what you should not run, bad things can happen. It can be encrypting your information, but also sending it to a third party server, listening to keyboard events to get credit card numbers and so on, reading the contents of the clipboard, for the same reason, using your computer as part of a botnet, or as a proxy to do crimes and incriminate you...

The idea is the following: Linux is a quite secure system, but the weakest link (the user) can be tricked into running obscure scripts, downloading tainted packages from dodgy sources, opening attachments tampered with executable code, and many other things. All these won’t work normally, but if the library that process, let’s say, images, has a vulnerability that allow code to be injected, then we’d have a problem (these attacks in particular where a payload comes in an image or another innocent information, are called steganography attacks )

What you need to do is to stay vigilant, check the software provider's GPG signatures and the checksums if you download software manually (package managers to this by default), and develop secure behaviour. Just by being conscious as you already are, and doing those little things mentioned, you’ll be more than fine and you’ll be much more difficult to exploit than the 99% of the people.

And for the ultimate security check you can always install clamav to do scans here and there, or upload a package or script to Virus Total (https://www.virustotal.com).
Click to expand...
Well… This situation is not very satisfying. I’m well aware that user’s education in that matter is extremely important but you can’t bet on that. It just takes one silly decision, one instant of distraction and you’re doomed. Now, if you say that I shouldn’t change the permissions for the gpg executable, then OK. I switched back to the original permissions.

Note: Just for fun, I wrote a little bash script (just a few lines) that would encrypt every file in $HOME with a random string as passphrase and then shred the original file. If executed on my PC, it would be absolutely impossible to recover my data. I checked if virustotal.com would flag this script as malicious. The answer is: “No security vendors and no sandboxes flagged this file as malicious” even if everything is there, in clear plain view (no attempt to obscure the code). So, yes, Clamav is installed and running on my PC, but I’m afraid it wouldn’t help in this situation. Clamscan also didn’t flag the script. I find this a bit disturbing but I guess I’ll have to live with it.

Anyway, I thank you.
 
The script you wrote is not different than writing a script that removes the files, or that overwrties them with zeroes, and such script would not ring any alarm on virus total.

It's not the tool, it's the intention, and that's why you need to foster education and awareness. It's not a bet, it's a must.

It's the same that a kid can use a broom to hit another kid on the head, instead of using it to help you sweep the floor. You need to use education to prevent your kid from weaponising the broom, but also to warn your kid that there may be other kids that would use the broom like a weapon.
 
Last edited:
from the link which @kc1di left up above...

Security Summarized​

1. First of all: you'll never be able to achieve 100 % security. Not in real life and not in the digital world. Not even when your computer is running Linux. You should always use your common sense; that's your best protection.

In a nutshell that's it.

I, and lord only knows how many others, have been using the k.i.s.s.principle for a bloody long time.

To date, no intrusions, no dramas of any kind security wise.

I am absolutely positive I can speak for thousands of others from this site alone.

If your 'anxious by nature' is steering you in another direction, then it is ruling you....not the other way round.

Put steps in place to take control once more.

Again from that Link:
An extremely short summary of the best security practice in Linux Mint is this:
- Use good passwords.
- Install updates as soon as they become available.
- Only install software from the official software sources of Linux Mint and Ubuntu.
- Don't install antivirus (yes, really!).
- Don't install Windows emulators like Wine.
- Enable the firewall. (I use firewalld ....available from the Software Manager in Linux Mint)
- Above all: use your common sense.
 
Last edited:
Condobloke said:
First of all: you'll never be able to achieve 100 % security. Not in real life and not in the digital world.
Click to expand...

I'm convinced you can have almost 100% security if you bury your computer in 25 cubic yards of concrete.

Which isn't to argue with you, but to agree with you. Complete security does not exist in a networked computer - and even non-networked computers can be compromised (see stuxnet, for a prime example).
 
Condobloke said:
from the link which @kc1di left up above...

Security Summarized​

1. First of all: you'll never be able to achieve 100 % security. Not in real life and not in the digital world. Not even when your computer is running Linux. You should always use your common sense; that's your best protection.

In a nutshell that's it.

I, and lord only knows how many others, have been using the k.i.s.s.principle for a bloody long time.

To date, no intrusions, no dramas of any kind security wise.

I am absolutely positive I can speak for thousands of others from this site alone.

If your 'anxious by nature' is steering you in another direction, then it is ruling you....not the other way round.

Put steps in place to take control once more.

Again from that Link:
An extremely short summary of the best security practice in Linux Mint is this:
- Use good passwords.
- Install updates as soon as they become available.
- Only install software from the official software sources of Linux Mint and Ubuntu.
- Don't install antivirus (yes, really!).
- Don't install Windows emulators like Wine.
- Enable the firewall. (I use firewalld ....available from the Software Manager in Linux Mint)
- Above all: use your common sense.
Click to expand...
OK... So I will uninstall clamav, rkhunter, chkrootkit but I still have a question about the firewall (which the author in the link given by @kc1di recommends).

When I enter: sudo ufw status verbose

The answer is:
WARN: uid is 0 but '/' is owned by 1000
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

(I'm using Ubuntu 22.04)

Is there something I should do about this warning?

Should I do something like: sudo chown root /

Best regards
(Sorry for the tons of edits...)

PS:
The output of : stat /
File: /
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 10302h/66306d Inode: 2 Links: 21
Access: (0755/drwxr-xr-x) Uid: ( 1000/ steph) Gid: ( 1000/ steph)
Access: 2022-11-20 07:47:33.677752823 +0100
Modify: 2022-11-20 07:47:15.117516583 +0100
Change: 2022-11-20 07:47:15.117516583 +0100
Birth: 2022-01-28 12:06:15.000000000 +0100

which gives a different uid than ufw...

I also give the output of: ls -l /

total 2097404
lrwxrwxrwx 1 root root 7 Jan 28 2022 bin -> usr/bin
drwxr-xr-x 4 root root 4096 Nov 16 06:02 boot
drwxr-xr-x 2 root root 4096 Jan 28 2022 cdrom
drwxr-xr-x 21 root root 4360 Nov 19 18:09 dev
drwxr-xr-x 173 root root 12288 Nov 18 14:09 etc
drwxr-xr-x 4 root root 4096 Jun 9 10:34 home
lrwxrwxrwx 1 root root 7 Jan 28 2022 lib -> usr/lib
drwxr-xr-x 2 root root 4096 Oct 14 14:51 lib32
lrwxrwxrwx 1 root root 9 Jan 28 2022 lib64 -> usr/lib64
lrwxrwxrwx 1 root root 10 Jan 28 2022 libx32 -> usr/libx32
drwxr-xr-x 2 root root 16384 Jan 28 2022 lost+found
drwxr-xr-x 3 root root 4096 Jan 28 2022 media
drwxr-xr-x 2 root root 4096 Aug 19 2021 mnt
drwxr-xr-x 6 root root 4096 Nov 15 17:09 opt
dr-xr-xr-x 487 root root 0 Nov 19 18:09 proc
drwxr-xr-x 11 root root 4096 Oct 14 17:16 root
drwxr-xr-x 30 root root 920 Nov 20 07:14 run
lrwxrwxrwx 1 root root 8 Jan 28 2022 sbin -> usr/sbin
drwxr-xr-x 9 root root 4096 Oct 14 15:26 snap
drwxr-xr-x 2 root root 4096 Aug 19 2021 srv
-rw-r--r-- 1 root root 2147483648 Jan 28 2022 swapfile
dr-xr-xr-x 13 root root 0 Nov 19 18:09 sys
drwxrwxrwt 17 root root 172032 Nov 20 07:52 tmp
drwxr-xr-x 17 root root 4096 Oct 14 15:27 usr
drwxr-xr-x 20 root root 4096 Nov 3 12:26 var
 
Last edited:
I disabled the default firewall on my pc.

Instead, I use firewalld

It is available in Linux Mint's Software Manager....so I could safely assume it will also be available via Ubuntu software repository as well.
 
Condobloke said:
I disabled the default firewall on my pc.

Instead, I use firewalld

It is available in Linux Mint's Software Manager....so I could safely assume it will also be available via Ubuntu software repository as well.
Click to expand...
Firewalld is indeed available in the Ubuntu repo but I think I’ll stick to ufw since I’ve installed netfilter rules (with netfilter-persistent) which are periodically updated through a python script. I know it works like that (I’ve checked) and I’m not sure about what would happen if I moved to firewalld (it would probably work just the same, but...)

By the way, I fixed the ownership of / to root (which ufw was complaining about). I don't know how it happened but everything is fine now.


Thanks you
 
You must log in or register to reply here.

Members online

Total: 831 (members: 3, guests: 828)

Latest posts

Top