Date: Wed, 16 Apr 2003 16:54:58 -0700 From: S?r?ciya Kurdistan? <sereciya@kurdistan.ath.cx> To: freebsd-questions@freebsd.org Subject: Re: FreeBSD Memory Pages Not Locked? Message-ID: <20030416235458.GI58471@kurdistan.ath.cx> In-Reply-To: <20030416233719.GA49658@gattaca.yadt.co.uk> References: <20030416222057.GC57404@kurdistan.ath.cx> <20030416233719.GA49658@gattaca.yadt.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
--Li7ckgedzMh1NgdW Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, > > So my question is: does FreeBSD really not have support for > > locking memory pages? >=20 > Not by non root users. > =20 > > if this is true, then what is the reason > > that this has not yet been implemented, > > is this not an important security feature? >=20 > (I assume) because if any user could lock pages in memory, so that it > could not be swapped, they could cause the system to run low on physical > memory, resulting in a DoS (Denial of service) attack. I see. Would having an encrypted swap like in OpenBSD help? ;) > =20 > > otherwise... if FreeBSD does in fact have > > support for locking memory pages, then > > why am I getting this error message? >=20 > Because you haven't made gpg setuid root (chmod u+s /usr/local/bin/gpg > should achieve that -- but there are security considerations). You should > either: accept that your passphrase/private key may end up on swap at some > point; or set the program set-uid root, and accept that any security > problems in gpg (before the point where it drops privileges) could result > in your root account being comprimised (and the gpg binary being replaced > with another one that e-mails your passphrase around the globe). No no... the question was missinterpreted. I meant specificaly to say: "if it is the case that FreeBSD does support locked memory pages (non-root), then why is there an error?" ;) > The correct solution depends on how paranoid you are, who has access to > your box, etc. Thank you. Those are clearly valid considerations. I guess it would be wise to generate the keys while the box has no network access; this, rather than to set the suid bit on the binary. > > If any of you have encountered this problem, and would like > > to offer some help &| advice, you have a captive audience > > of at least one, me! =20 > Most of this was explained in the FAQ that you posted, I'm not entirely > sure how you didn't understand it,=20 ;) you too did not understand my question properly. I guess it's just that we're human, right? > but possibly it's badly worded and i > just intuitively understand it because I know the answer already. Having already experienced something makes it seem intuitive to you. Obviously had I experienced that also, I probably wouldn't be posting this question which likely seems silly to you, but thanks anway ;) Very informative, thank you. --$=EAr=EAciya Kurdistan=EE +--------------------------------------------------------------+ | Welat xwe ava nake, dest bidin hevdu, pist nedin tu dijmin=EE | | Riya azadiy=EA ne h=EAsan e, h=EAviya xwe bernedin, dema me | | n=EAz=EEk e. | | | | Hevalt=EE bi kes=EAn du r=FB nekin, hevalt=EE bi hevdu ra bikin | | Ne ji hevaltiya wan kes=EAn p=EAxwas =FB r=FB dir=EAj, ne bi wan | | kes=EAn xw=EEnperest, ne j=EE ji y=EAn din. | | | | -$=EAr=EAciya Kurdistan=EE | +--------------------------------------------------------------+ translation provided on request: sereciya at kurdistan.ath.cx --Li7ckgedzMh1NgdW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+ne1S2rX+NTHoe2QRApoKAJ9NOhpJaFqA5cEZBXsJ28H8pes7NACeOINp b+Ce4GERBGTTR9cPTieRX+Y= =7DNJ -----END PGP SIGNATURE----- --Li7ckgedzMh1NgdW--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030416235458.GI58471>