I’m looking for a forgejo cli (something similar to gh for github or glab for gitlab - neither of which I’ve ever used).
I found one named forgejo-cli and another named fgj but, from a quick look at the source, both seem to save my API key in a plaintext file, which… I just find unacceptable (and, frankly, quite dumb).
Do you know of any others?
Interesting how do you do that exactly?
I was thinking you can just start the app that has permission to read the wallet, attach a debugger and then inject code to dump the wallet. It’s definitely more complicated than reading a plain text file but not fundamentally less possible.
But really if you have that level of access it’s game over anyway and you just MitM sudo and get root access, or use one of the many local privilege escalation vulnerabilities and get root immediately.
Do what? Get another program’s secrets? Just ask the d-bus interface for them.
https://specifications.freedesktop.org/secret-service/latest/
Alternatively, eavesdrop on d-bus when secrets are being stored or retrieved.
man dbus-monitorHuh I was under the impression that you could limit it to specific applications and dbus would tell kwallet the path of the application making the request (which could be done at least vaguely securely). But upon further investigation it just uses the “appid” that the app reports which it can apparently set to anything it wants. It’s difficult to find information about this stuff though. D-bus is not very well documented at all.