Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Offer to enter new credentials when auto-merging database changes #2176

Closed
ralphdouglass opened this issue Aug 3, 2018 · 3 comments
Closed

Offer to enter new credentials when auto-merging database changes #2176

ralphdouglass opened this issue Aug 3, 2018 · 3 comments
Assignees
@droidmonkey
Labels
user interface

Comments

@ralphdouglass
Copy link

ralphdouglass commented Aug 3, 2018
edited by droidmonkey
Loading

If one has KeePassXC running and a database open, and then changes happen to one or more entries of the on-disk version of the database, KeePassXC will detect changes to the on-disk version of said database and merge changes into the currently open version of the database.

However, if the the on-disk database's master password (or presumably the master key) changes, KeePassXC will not merge in any content changes. It also won't notify the user that the on-disk database has a different master password, and when KeePassXC next saves the in-memory database, it simply overrides the on-disk version entirely.

Expected Behavior

Warn the user, possibly provide them a mechanism to resolve the merge.

Current Behavior

When the on-disk database has a different master password, KeePassXC will:

  1. Silently ignores changes from the on-disk version of the database
  2. Silently overwrites the on-disk version of the database upon next save of the in-memory database

Possible Solution

Notify the user that the on-disk version of the database has changed and requires a different master password (or key) to merge in changes. Give the end user an option to either enter/provide the new password/key or to ignore the on-disk version.

Steps to Reproduce data loss scenario

  1. While running KeePassXC, create an empty database named db1.kdbx with password 'foo'. Save the database, leave 'db1' open.
  2. In a shell type the following to create a copy, add an entry, and open the copy up
$ cp db1.kdbx db2.kdbx
$ echo foo | keepassxc-cli add db2.kdbx test-entry
$ keepassxc db2.kdbx
  1. Type in "foo" as the database password to unlock db2
  2. Click 'Database' -> 'Change master key'. In the password fields entry in 'bar' twice, and click 'OK'
  3. Click 'Save'. Close db2.kdbx
  4. Back in the shell, copy db2 over db1 and then delete db2:
$ cp db2.kdbx db1.kdbx
$ rm db2.kdbx
  1. Back in KeePassXC, note the lack of any sort of notification or change in the window with db1 open.
  2. In db1, make a change and save. Note the lack of notification about overwriting the on-disk version and resultant loss of 'test-entry' from the disk/memory/etc.

Debug Info

KeePassXC - 2.3.3
Revision: 0a155d8
OS: Linux
@droidmonkey
Copy link
Member

droidmonkey commented Aug 5, 2018
edited
Loading

We cannot tell (in most cases) if the password was changed or the database is corrupted. Just something to keep in mind, but a great suggestion. The fix to this would cause the "open database" dialog to appear with an error message on top similar to: "Tracked database failed to open for automatic merging, please re-enter the database's credentials as these may have changed"

@droidmonkey droidmonkey self-assigned this Aug 5, 2018
@droidmonkey droidmonkey added this to the v2.4.0 milestone Aug 5, 2018
@droidmonkey droidmonkey modified the milestones: v2.4.0, v2.5.0 Jan 31, 2019
@phoerious phoerious modified the milestones: v2.5.0, v2.6.0 Oct 26, 2019
@droidmonkey droidmonkey modified the milestones: v2.6.0, v2.7.0 May 30, 2020
@droidmonkey droidmonkey removed this from the v2.7.0 milestone Aug 22, 2020
@droidmonkey droidmonkey changed the title Change to master password of on-disk database is not picked up by running instance Offer to enter new credentials when auto-merging database changes Aug 22, 2020
@droidmonkey
Copy link
Member

Directly related to #5290

@droidmonkey
Copy link
Member

Tracking this through the above issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@droidmonkey droidmonkey

Labels
user interface
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@phoerious @droidmonkey @ralphdouglass