From owner-freebsd-performance@FreeBSD.ORG Wed Apr 16 17:10:14 2003 Return-Path: Delivered-To: freebsd-performance@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D51837B401 for ; Wed, 16 Apr 2003 17:10:14 -0700 (PDT) Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01ADA43FDD for ; Wed, 16 Apr 2003 17:10:14 -0700 (PDT) (envelope-from jason@shalott.net) Received: (qmail 1559 invoked by uid 1000); 17 Apr 2003 00:10:13 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 17 Apr 2003 00:10:13 -0000 Date: Wed, 16 Apr 2003 17:10:13 -0700 (PDT) From: Jason Stone X-X-Sender: To: =?unknown-8bit?Q?S=EAr=EAciya_Kurdistan=EE?= In-Reply-To: <20030416222057.GC57404@kurdistan.ath.cx> Message-ID: <20030416165844.A4074-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-performance@freebsd.org Subject: Re: FreeBSD Memory Pages Not Locked? X-BeenThere: freebsd-performance@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Performance/tuning List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2003 00:10:14 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I recently installed "gpnupg" from the ports collection and > upon running it (after the key generation), I found myself > seeing the following error: > > gpg: Warning: using insecure memory! 1) This is a question for freebsd-security, not freebsd-performance 2) Yes, freebsd does support locking pages in memory with mlock, but only root can call mlock. If you make gpg setuid root (chmod 4111 `which gpg`) then it will be able to mlock and the warning will go away. However, you must decide if that is a good security practice, because now bugs in gpg can be used to gain root on that machine, and if an attacker gains root, he gain just sniff your tty and get your passphrase next time you enter it. Additionally, other programs on the machine do not mlock sensitive data into core (think login, sshd, ssh-agent, etc), so you're already vulnerable to having sensitive data retrieved from swap. If having sensitive data retrieved from swap is really a concern for you, run freebsd-5 and use gbde to encrypt your whole swap partition. 3) Or, just add "no-secmem-warning" to your ~/.gnupg/options to silence the warning. It's really unlikely that an attack on unencrypted data in swap will ever affect you. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE+nfDlswXMWWtptckRAupFAKDtyHf26X3TsAJ6qh67rQHPqXIT6gCguXmA A5immbQ9tsm+aN40DXbCxek= =hllG -----END PGP SIGNATURE-----