From 36a5583120ad8a6f939a8971284424d580c48ab2 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Sat, 10 May 2014 17:48:24 +0200 Subject: git: use secure tmp directory --- src/password-store.sh | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/src/password-store.sh b/src/password-store.sh index f466a8f..65283b8 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -163,10 +163,13 @@ clip() { echo "Copied $2 to clipboard. Will clear in $CLIP_TIME seconds." } tmpdir() { + local warn=1 + [[ $1 == "nowarn" ]] && warn=0 + local template="$PROGRAM.XXXXXXXXXXXXX" if [[ -d /dev/shm && -w /dev/shm && -x /dev/shm ]]; then SECURE_TMPDIR="$(TMPDIR=/dev/shm mktemp -d -t "$template")" else - yesno "$(cat <<-_EOF + [[ $warn -eq 1 ]] && yesno "$(cat <<-_EOF Your system does not have /dev/shm, which means that it may be difficult to entirely erase the temporary non-encrypted password file after editing. @@ -554,16 +557,20 @@ cmd_copy_move() { } cmd_git() { + tmpdir nowarn #Defines $SECURE_TMPDIR. We don't warn, because at most, this only copies encrypted files. + trap "rm -rf '$SECURE_TMPDIR'" INT TERM EXIT + export TMPDIR="$SECURE_TMPDIR" + if [[ $1 == "init" ]]; then git "$@" || exit 1 git_add_file "$PREFIX" "Add current contents of password store." echo '*.gpg diff=gpg' > "$PREFIX/.gitattributes" - git_add_file .gitattributes "Assigning diff attribute for gpg files" + git_add_file .gitattributes "Configure git repository for gpg file diff." git config --local diff.gpg.binary true - git config --local diff.gpg.textconv "$GPG ${GPG_OPTS[*]} --decrypt" + git config --local diff.gpg.textconv "$GPG -d ${GPG_OPTS[*]}" elif [[ -d $GIT_DIR ]]; then - exec git "$@" + git "$@" else die "Error: the password store is not a git repository. Try \"$PROGRAM git init\"." fi -- cgit v1.2.3