Date: Thu, 17 Apr 2003 00:37:20 +0100 From: David Taylor <davidt@yadt.co.uk> To: =?iso-8859-15?Q?S=EAr=EAciya_Kurdistan=EE?= <sereciya@kurdistan.ath.cx> Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD Memory Pages Not Locked? Message-ID: <20030416233719.GA49658@gattaca.yadt.co.uk> In-Reply-To: <20030416222057.GC57404@kurdistan.ath.cx> References: <20030416222057.GC57404@kurdistan.ath.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
--gBBFr7Ir9EOA20Yy Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [moved to -questions, and unsnipped for that reason] [note, I'm not ON -questions, so please CC me in any replies] On Wed, 16 Apr 2003, S=EAr=EAciya Kurdistan=EE wrote: > Hello, >=20 > I recently installed "gpnupg" from the ports collection and > upon running it (after the key generation), I found myself > seeing the following error: >=20 > gpg: Warning: using insecure memory! >=20 > ... Those of you who are impatient and think that this is a > gpg &| port specific problem, please be patient and read on ... >=20 > from: http://www.gnupg.org/documentation/faqs.html#q6.1 > Here's what the GPG FAQ says:=20 >=20 > "6.1) Why do I get "gpg: Warning: using insecure memory!" >=20 > On many systems this program should be installed as setuid(root). > This is necessary to lock memory pages. Locking memory pages > prevents the operating system from writing them to disk and > thereby keeping your secret keys really secret. If you get no > warning message about insecure memory your operating system > supports locking without being root. The program drops root > privileges as soon as locked memory is allocated." >=20 >=20 > So my question is: does FreeBSD really not have support for > locking memory pages? Not by non root users. =20 > if this is true, then what is the reason > that this has not yet been implemented, > is this not an important security feature? (I assume) because if any user could lock pages in memory, so that it could not be swapped, they could cause the system to run low on physical memory, resulting in a DoS (Denial of service) attack. =20 > otherwise... if FreeBSD does in fact have > support for locking memory pages, then > why am I getting this error message? Because you haven't made gpg setuid root (chmod u+s /usr/local/bin/gpg should achieve that -- but there are security considerations). You should either: accept that your passphrase/private key may end up on swap at some point; or set the program set-uid root, and accept that any security problems in gpg (before the point where it drops privileges) could result in your root account being comprimised (and the gpg binary being replaced with another one that e-mails your passphrase around the globe). The correct solution depends on how paranoid you are, who has access to your box, etc. =20 > If any of you have encountered this problem, and would like > to offer some help &| advice, you have a captive audience > of at least one, me! Most of this was explained in the FAQ that you posted, I'm not entirely sure how you didn't understand it, but possibly it's badly worded and i just intuitively understand it because I know the answer already. --=20 David Taylor davidt@yadt.co.uk "The future just ain't what it used to be" --gBBFr7Ir9EOA20Yy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+nekvfIqKXSsJ/xERAsvoAJwKLwq6bupPzD3z28V4HQIIxQlkPQCdEO7C W2V7oqTrnNBUgNlYhvVDPvY= =UkKE -----END PGP SIGNATURE----- --gBBFr7Ir9EOA20Yy--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030416233719.GA49658>