On Mon, Jul 16, 2018 at 3:43 PM Andrey Rahmatullin <w...@debian.org> wrote:
> On Mon, Jul 16, 2018 at 03:14:20PM +0200, Dashamir Hoxha wrote: > > > ++ mktemp -d /dev/shm/pw.sh.XXXXXXXXXXXXX > > > + WORKDIR=/dev/shm/pw.sh.JHasAYH9zwYz1 > > > [...] > > > + decrypt /home/pkern/.pw/pw.tgz > > > + local archive=/home/pkern/.pw/pw.tgz > > > + local 'opts=--quiet --yes --batch ' > > > + [[ -z '' ]] > > > + gpg2 --quiet --yes --batch --passphrase-fd 0 > /home/pkern/.pw/pw.tgz.gpg > > > + local err=0 > > > + [[ 0 -ne 0 ]] > > > + tar -xzf /home/pkern/.pw/pw.tgz -C /dev/shm/pw.sh.JHasAYH9zwYz1 > > > + rm -f /home/pkern/.pw/pw.tgz > > > > > > > So, you have not looked at the code trying to follow the logic. > > You have just tried to debug it. This way you cannot get the full > picture. > > But nevertheless it is useful for finding ways to break the script. > > By the way, you may notice that *there is* error checking there. > > > > This clearly writes the unencrypted tarball out to disk. > > > > > > > It writes to `/dev/shm` which is not disk. > So /home/pkern/.pw/pw.tgz is not "the unencrypted tarball"? > Now I see. > > > All this happens almost instantly, it never stays unencrypted > > for a long time. > This is just wrong. > You are right. > > -- > WBR, wRAR >
