Date: Mon, 22 Apr 2002 20:56:13 -0700 (PDT) From: Jason Stone <jason-fbsd-security@shalott.net> To: Chris BeHanna <behanna@zbzoom.net> Cc: FreeBSD Security <security@freebsd.org> Subject: Re: Cleaning suid Binaries (Was: Re: stdio security advisory) Message-ID: <20020422204317.O14111-100000@walter> In-Reply-To: <20020422233549.A69611-100000@topperwein.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Just FYI, gpg needs to be setuid root in order to lock pages > containing cleartext passphrase information in memory; otherwise, they > can end up in your swap area. Yeah, gpg will, if setuid root, use mlock(2) to lock your key into core while it is being handled. There are other programs that handle keys and passwords which do not even attempt to use mlock, whether running as root or no - ssh-agent, sshd, telnetd (being used with ipsec or ssl, of course...). Locking your key in core prevents exactly one attack - someone physically breaks into your home/office, unplugs and steals your machine, and then later, recovers your keys from swap. It does not protect you from someone being root on the machine and sniffing your tty, it does not protect you from someone being root on your machine and using a debugger to read a program's memory, it does not protect you from someone with physical access to your machine installing a keyboard sniffer (hardware keyboard sniffers can be purchased for under $100 USD), it does not protect you from someone with root installing a trojan, etc. So the use of mlock doesn't protect you much. On the other hand, having gpg be setuid root increase the likelihood that an attacker can become root and carry out one of the attacks listed above. (Note the current setuid file descriptor attack, previous setuid attacks involving clearing of signal handlers, ptrace race conditions, etc). Therefore, it is probablly a bad idea to leave gpg setuid - on the whole, it does more harm than good. If the "error" message bothers you, either take it out of the source and recompile, or simpler, just run "gpg 2>/dev/null" When capabilities support eventually gets finishes/integrated, then it may be possible to give gpg the ability to call mlock but not give it any other special priveleges. When that happens, then we can start using that functionality again, for whatever it's worth. In the mean time, if you're really worried about it, just buy an extra DIMM and turn off swapping. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8xNtgswXMWWtptckRAigvAJ9tY3tSqjqyVaFjSgHiiQS/W+p1DACglIt2 dNcZ0pdWg8lbSK9YQJt1Vyc= =+Rgx -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020422204317.O14111-100000>