Skip to content

Instantly share code, notes, and snippets.

@bdmorin

bdmorin/Notes.md

Last active July 26, 2022 16:35
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save bdmorin/131f8a5620f01214c992e4ca7cc181d6 to your computer and use it in GitHub Desktop.
Save bdmorin/131f8a5620f01214c992e4ca7cc181d6 to your computer and use it in GitHub Desktop.
Download ZIP
1password Teams/Business has a HUGE default problem. This is what I'm doing to remediate it.
Raw
README.md

1password's default export and print settings

If you're using 1password Teams or higher, you should look deeply at default permissions 1password has on your vaults.

Unless you set things up non-default, every user/group added to a vault is able to print your entire vault, with compete details, or export that vault with all details.

This floored me when it was brought to my attention. You have to manually disable export/print on every vault. There's no global option to disable this, and if you're a 1password newbie, you might not even know this option even exists. Data exfiltration is opportunity is a super crazy risk. While anyone can copy paste all the data out manually, these options make it child's play to export all your passwords, OTP tokens, everything! I was sent a PDF of ~250 complete items across 4 vaults. The person didn't "manage" the vaults. WTF 1password?! CleanShot 2022-07-26 at 11 16 59

Equally frustrating, even after you disable these settings, it still shows "export" in the short view. CleanShot 2022-07-26 at 11 19 37

So. I had the option to manually go through and disable those options, or, I chose to use the CLI to fix this. This isn't optimal, as I can't automate it, it requires my authentication to run, this is, at best, a bandaid. In my opinion 1password needs to fix this. I've send support messages, and haven't heard back.

If your experience is different, please let me know. Perhaps I'm using the platform incorrectly.

I wrote this in fish shell, because it was simple, and I had to interact with the command line. It shouldn't be hard to port to bash or zsh or whatever you like. I just like fish.

Raw
Notes.md

todo

  • Setup some kind of automation so this can happen regularly.
  • Consider python or charm.sh to run everything
  • My async solution using parallel is ok, but async.io or something pythonic might be nice.
  • Go could handle this really well, so that's a consideration as well.
Raw
op-revoke-perms.fish
#!/usr/bin/env fish
# bdmorin@gmail.com
# if you're doing multiple consecutive runs, you might want to enable
# op-cli's built in cache function for faster response.
# set this to '' to disable cache
set --global CACHED '--cache'
echo "# gathering users"
set --global op_user_list (op $CACHED $user list | awk '{print $1}' | tail -n +2)
echo "# gathering groups"
set --global op_group_list (op $CACHED group list | awk '{print $1}' | tail -n +2)
echo "# gathering vaults"
set --global op_vault_list (op $CACHED vault list | awk '{print $1}' | tail -n +2)
# Loop over all vaults, with users/groups and remove the permissions.
# You'll get lots of errors that the permissions don't exist, that's fine
for vault in $op_vault_list
echo "# processing $vault"
for user in $op_user_list
echo "# processing $user in $vault"
echo op vault user revoke --vault $vault --user $user --permissions export_items,print_items
for group in $op_group_list
echo "# processing $group in $vault"
echo op vault group revoke --vault $vault --user $user --permissions export_items,print_items
end
end
# This process is really slow, so run the output through parellel
# $ fish op-gen-ids.fish > revoke.cmd
# review the file
# $ parallel -j 8 < revoke.cmd | tee revoke.cmd.out
# or whatever suits you.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment