mirror of
https://github.com/xpipe-io/xpipe.git
synced 2024-09-30 00:56:56 +13:00
Update SECURITY.md
This commit is contained in:
parent
53d541d1c7
commit
bb519fcd1b
1 changed files with 20 additions and 5 deletions
25
SECURITY.md
25
SECURITY.md
|
@ -23,13 +23,27 @@ If your local system is infected to an extent where malicious programs can modif
|
|||
file system and other installed programs like X-Pipe,
|
||||
then there is no technical way of preventing malicious programs to also infect X-Pipe and the connected systems as well.
|
||||
|
||||
Any underlying remote connection command-line program should be secure.
|
||||
If for example your SSH connection is susceptible to MITM attacks, or
|
||||
## Reliance on other programs
|
||||
|
||||
X-Pipe essentially outsources any form of connection and shell handling to your existing command-line tools.
|
||||
It does not come with any remote handling capabilities of its own.
|
||||
Therefore, any used command-line program should be secure.
|
||||
If for example your `ssh` command-line program or its connections are susceptible to MITM attacks or
|
||||
vulnerable in any other way, there is no way for X-Pipe to keep the sensitive information secure.
|
||||
As X-Pipe completely outsources any connection handling to your command-line tools,
|
||||
it is your responsibility to keep them up to date with security patches and more.
|
||||
It is your responsibility to use the programs in a secure environment and keep them up to date with security patches and
|
||||
more.
|
||||
X-Pipe can only be as secure as your underlying command-line tools itself.
|
||||
|
||||
X-Pipe calls these programs almost exactly as you would do manually in your terminal
|
||||
with some a few additional parameters to automatically pass login information
|
||||
and adapt the environment to make it work properly.
|
||||
The called program therefore automatically uses your
|
||||
system configuration for it, e.g. your system SSH configs.
|
||||
|
||||
X-Pipe does not perform any validation or version checking for the programs it calls.
|
||||
For example, when establishing an ssh connection through X-Pipe, it will straight up call `ssh user@host <options>`.
|
||||
It is assumed that this `ssh` executable is secure and the one that you actually want to use.
|
||||
|
||||
## Data security and privacy
|
||||
|
||||
The general approach of X-Pipe can be summarized as follows:
|
||||
|
@ -64,7 +78,8 @@ If the program runs on your local system, the data does not leave your local sys
|
|||
If login information is required on a remote system, then that data must be transferred to that remote system.
|
||||
|
||||
In case a program accepts password input via stdin, this process is relatively straightforward.
|
||||
Then the passed sensitive information is just written into the stdin of the program and does not show up in any history or file system.
|
||||
Then the passed sensitive information is just written into the stdin of the program and does not show up in any history
|
||||
or file system.
|
||||
|
||||
When a program only accepts password input via an environment variable or an askpass program,
|
||||
a self deleting password supplier script file is generated by X-Pipe.
|
||||
|
|
Loading…
Reference in a new issue