Clear inter-VM global clipboard after a certain amount of time #6641
Comments
sjvudp
added
P: default
andrewdavidwong
changed the title
|
Related: #3415 |
andrewdavidwong
added
C: core
security
|
I guess I had a bit of a design tantrum, and did some mockups for this some time ago. :D
|
This issue is relatively easy to solve. The design could be like this: Upon copy to global Inter-VM clipboard, the Global Clipboard systray widget ( All of the fixes could happen in one repository ( |
Menu item to Global Clipboard widget to allow users to manually clear it Also `global-clipboard-timeout` feature could be set per VM and/or GUIVM resolves: QubesOS/qubes-issues#6641
|
PR Submitted. Review priority: low Additional notes: A menu item is also added to allow users to manually clear the global clipboard at anytime they desire. Or they could set Development notes: This PR would most likely conflict with PR for #9296. It would be better if this one could be reviewed before PR for 9296. So that one could be readjusted to accommodate this change. The applet restarts since Video demo: global_clipboard_timeout.mp4 |
andrewdavidwong
added
the
pr submitted
|
There is a change in plans. According to PR discussion:
So the Patches to 3 repositories will be required. |
|
The GUI Daemon PR for this is done. I will write the PR for |
|
I also wondered (don't know the internals, however): |
|
On Fri, Nov 15, 2024 at 04:20:07PM -0800, sjvudp wrote:
If the "owner" of the global clipboard data (the VM or app that provided the data) clears its local clipboard, can't the global clipboard be updated (i.e. also cleared) as well?
This goes against the rule that global clipboard operations need explicit user consent.
But also, it will lead to various confusing corner cases - for example, what if another app in the same VM puts something into the clipboard - should the global clipboard be cleared then?
…--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
|
No, because that app is not the "owner" of the data. |
|
That's just one example of problematic cases, there surely are more. Anyway, the main reason why this is a bad idea is
Source qube should not have control over the global clipboard beyond what user explicitly requested. This includes clearing that content. |
The problem you're addressing (if any)
A typical use case it to run a password manager in a different VM (like "vault"), then transfer the passwords via the clipboard to the target VM (to paste it there).
While the password managers typically erase the clipboard after some time, the Qubes clipboard keeps the data "forever" (while it's running).
Describe the solution you'd like
It would be somewhat safer if the clipboard were (or could) be erased after some time (e.g. in case the user forgot he had copied the password to the clipboard, thinking something else is in the clipboard).
Of course timing out the global clipboard does not mean the local clipboard in the target VM will be erased, too.
So there still is some problem that local use of a password manager does not have.
Where is the value to a user, and who might that user be?
The feature may prevent users pasting secrets where they shouldn't be pasted by mistake.
So it's basically a security feature.
Describe alternatives you've considered
Copying some dummy data to the clipboard could overwrite the password there if it's not needed any more.
Additional context
Relevant documentation you've consulted
Related, non-duplicate issues
The text was updated successfully, but these errors were encountered: