Skip to content

Security: linux-credentials/credentialsd

Security

Report a vulnerability

SECURITY.md

credentialsd Security Policy

Since this project handles very sensitive data, we, the maintainers of credentialsd, take security seriously. This policy outlines our intentions for addressing security issues and practices for security researchers investigating this project.

Submitting Vulnerability Reports

If you have discovered a security vulnerability in this project, please report it to us privately via the process below.

We use GitHub for private vulnerability disclosure. To report a vulnerability:

  1. Go to Security > Advisories > New draft security advisory.
  2. Fill out the report and submit the draft.
  3. The maintainers will be privately notified about the advisory and get back to you.

Expected Response

We aim to acknowledge the receipt of the report as soon as possible and will work with you. We seek to investigate issues within 30 days.

If the issue is confirmed upon investigation, we will collaborate with you to remediate the vulnerability. Depending on the severity or developer availability, we may request more time to remediate the issue before public disclosure.

Supported Releases

We only support the latest published release. We may backport patches when possible to help users running on distributions that package older versions of our software.

Threat Model

We do not currently have a formally defined threat model; we will continue to document it over time. However, the basic security guarantees we would like to achieve are defined below.

Please note, that if you believe you have discovered a security problem outside of this scope, we still want to know about it! We would still like to discuss the issue privately, but we may decide to address it beyond the response time described above.

Definitons

  • privileged client: A client that is allowed to make requests for credentials for any origin.
  • unprivileged client: A client that is allowed to make requests for credentials for only a preconfigured set of origins.

Scope

Here is the current list of items that are in scope:

  • Privileged clients may request credentials via this service1 for any origin.
  • The list of privileged clients cannot change without:
    • root privileges, or
    • user consent2
  • The list of unprivileged clients cannot change without:
    • root privileges, or
    • user consent2

We implicitly trust the kernel and D-Bus, so any attacks that exploit those are out of scope for this project.

Some other attacks that are explicitly out of scope are those that require:

  • physical access
  • direct access to authenticators
  • root privilege escalation

Footnotes

  1. Various systems may allow users to interact with authenticators directly (e.g. allowing unrestricted permission to USB devices or Bluetooth service data), so those are out of scope.

  2. In the future we may offer a stricter guarantee that privileged clients must include permission in application metadata signed by a trusted party. 2

There aren’t any published security advisories