I’m newbie here, so my question is probably a very naive one, but I still would like your advice.
I’m using Ubuntu 22.04 as my personal desktop computer and discovered (on the web) that it is possible to encrypt a file without having to fill in the passphrase window.
For example:
echo "My secret passphrase" | gpg --pinentry-mode loopback --passphrase-fd 0 -c somefile.txt
will silently encrypt the file without opening the passphrase window. That is, a malicious script (bash, python, …) running with simple user permissions could be designed in order to encrypt every file in the $HOME folder, without giving any notice. Isn’t it a bit dangerous???
Since I’m a bit anxious by nature, I changed the permissions to the gpg executable as follows:
sudo chmod u=rwx,g=,o= /usr/bin/gpg
Which means that only root can execute gpg. And it works. For the moment, I couldn’t find any reason to switch back to the original -rwxr-xr-x permissions. I can surf the web, log in and out, update, … Everything seems to be OK. The only drawback is that now, I have to log in as root, in a console, in order to encrypt a file which is not a big deal (note: I rarely do it).
My questions are the following:
1) Is it a very naive and completely ineffective approach to the problem of malicious encryption?
2) May I encounter problems in the future due to the restriction I imposed on these permissions?
Best regards
I’m using Ubuntu 22.04 as my personal desktop computer and discovered (on the web) that it is possible to encrypt a file without having to fill in the passphrase window.
For example:
echo "My secret passphrase" | gpg --pinentry-mode loopback --passphrase-fd 0 -c somefile.txt
will silently encrypt the file without opening the passphrase window. That is, a malicious script (bash, python, …) running with simple user permissions could be designed in order to encrypt every file in the $HOME folder, without giving any notice. Isn’t it a bit dangerous???
Since I’m a bit anxious by nature, I changed the permissions to the gpg executable as follows:
sudo chmod u=rwx,g=,o= /usr/bin/gpg
Which means that only root can execute gpg. And it works. For the moment, I couldn’t find any reason to switch back to the original -rwxr-xr-x permissions. I can surf the web, log in and out, update, … Everything seems to be OK. The only drawback is that now, I have to log in as root, in a console, in order to encrypt a file which is not a big deal (note: I rarely do it).
My questions are the following:
1) Is it a very naive and completely ineffective approach to the problem of malicious encryption?
2) May I encounter problems in the future due to the restriction I imposed on these permissions?
Best regards