Date: Wed, 16 Apr 2003 16:54:58 -0700 From: S?r?ciya Kurdistan? <sereciya@kurdistan.ath.cx> To: freebsd-questions@freebsd.org Subject: Re: FreeBSD Memory Pages Not Locked? Message-ID: <20030416235458.GI58471@kurdistan.ath.cx> In-Reply-To: <20030416233719.GA49658@gattaca.yadt.co.uk> References: <20030416222057.GC57404@kurdistan.ath.cx> <20030416233719.GA49658@gattaca.yadt.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
--Li7ckgedzMh1NgdW
Content-Type: text/plain; charset=unknown-8bit
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hello,
> > So my question is: does FreeBSD really not have support for
> > locking memory pages?
>=20
> Not by non root users.
> =20
> > if this is true, then what is the reason
> > that this has not yet been implemented,
> > is this not an important security feature?
>=20
> (I assume) because if any user could lock pages in memory, so that it
> could not be swapped, they could cause the system to run low on physical
> memory, resulting in a DoS (Denial of service) attack.
I see. Would having an encrypted swap like in OpenBSD help? ;)
> =20
> > otherwise... if FreeBSD does in fact have
> > support for locking memory pages, then
> > why am I getting this error message?
>=20
> Because you haven't made gpg setuid root (chmod u+s /usr/local/bin/gpg
> should achieve that -- but there are security considerations). You should
> either: accept that your passphrase/private key may end up on swap at some
> point; or set the program set-uid root, and accept that any security
> problems in gpg (before the point where it drops privileges) could result
> in your root account being comprimised (and the gpg binary being replaced
> with another one that e-mails your passphrase around the globe).
No no... the question was missinterpreted.
I meant specificaly to say: "if it is the case that FreeBSD does support
locked memory pages (non-root), then why is there an error?" ;)
> The correct solution depends on how paranoid you are, who has access to
> your box, etc.
Thank you. Those are clearly valid considerations. I guess it would
be wise to generate the keys while the box has no network access; this,
rather than to set the suid bit on the binary.
> > If any of you have encountered this problem, and would like
> > to offer some help &| advice, you have a captive audience
> > of at least one, me!
=20
> Most of this was explained in the FAQ that you posted, I'm not entirely
> sure how you didn't understand it,=20
;) you too did not understand my question properly. I guess it's just
that we're human, right?
> but possibly it's badly worded and i
> just intuitively understand it because I know the answer already.
Having already experienced something makes it seem intuitive to you.
Obviously had I experienced that also, I probably wouldn't be posting
this question which likely seems silly to you, but thanks anway ;)
Very informative, thank you.
--$=EAr=EAciya Kurdistan=EE
+--------------------------------------------------------------+
| Welat xwe ava nake, dest bidin hevdu, pist nedin tu dijmin=EE |
| Riya azadiy=EA ne h=EAsan e, h=EAviya xwe bernedin, dema me |
| n=EAz=EEk e. |
| |
| Hevalt=EE bi kes=EAn du r=FB nekin, hevalt=EE bi hevdu ra bikin |
| Ne ji hevaltiya wan kes=EAn p=EAxwas =FB r=FB dir=EAj, ne bi wan |
| kes=EAn xw=EEnperest, ne j=EE ji y=EAn din. |
| |
| -$=EAr=EAciya Kurdistan=EE |
+--------------------------------------------------------------+
translation provided on request: sereciya at kurdistan.ath.cx
--Li7ckgedzMh1NgdW
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+ne1S2rX+NTHoe2QRApoKAJ9NOhpJaFqA5cEZBXsJ28H8pes7NACeOINp
b+Ce4GERBGTTR9cPTieRX+Y=
=7DNJ
-----END PGP SIGNATURE-----
--Li7ckgedzMh1NgdW--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030416235458.GI58471>