Re: Cleaning suid Binaries (Was: Re: stdio security advisory)
From: Jason Stone (jason-fbsd-security@shalott.net)
Date: 04/23/02
- Next message: Gregory Neil Shapiro: "Re: Cleaning suid Binaries (Was: Re: stdio security advisory)"
- Previous message: Chris BeHanna: "Cleaning suid Binaries (Was: Re: stdio security advisory)"
- In reply to: Chris BeHanna: "Cleaning suid Binaries (Was: Re: stdio security advisory)"
- Next in thread: Gregory Neil Shapiro: "Re: Cleaning suid Binaries (Was: Re: stdio security advisory)"
- Reply: Gregory Neil Shapiro: "Re: Cleaning suid Binaries (Was: Re: stdio security advisory)"
- Reply: Jacques A. Vidrine: "Re: Cleaning suid Binaries (Was: Re: stdio security advisory)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 22 Apr 2002 20:56:13 -0700 (PDT) From: Jason Stone <jason-fbsd-security@shalott.net> To: Chris BeHanna <behanna@zbzoom.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> Just FYI, gpg needs to be setuid root in order to lock pages
> containing cleartext passphrase information in memory; otherwise, they
> can end up in your swap area.
Yeah, gpg will, if setuid root, use mlock(2) to lock your key into core
while it is being handled. There are other programs that handle keys and
passwords which do not even attempt to use mlock, whether running as root
or no - ssh-agent, sshd, telnetd (being used with ipsec or ssl, of
course...).
Locking your key in core prevents exactly one attack - someone physically
breaks into your home/office, unplugs and steals your machine, and then
later, recovers your keys from swap. It does not protect you from someone
being root on the machine and sniffing your tty, it does not protect you
from someone being root on your machine and using a debugger to read a
program's memory, it does not protect you from someone with physical
access to your machine installing a keyboard sniffer (hardware keyboard
sniffers can be purchased for under $100 USD), it does not protect you
from someone with root installing a trojan, etc.
So the use of mlock doesn't protect you much.
On the other hand, having gpg be setuid root increase the likelihood that
an attacker can become root and carry out one of the attacks listed above.
(Note the current setuid file descriptor attack, previous setuid attacks
involving clearing of signal handlers, ptrace race conditions, etc).
Therefore, it is probablly a bad idea to leave gpg setuid - on the whole,
it does more harm than good. If the "error" message bothers you, either
take it out of the source and recompile, or simpler, just run
"gpg 2>/dev/null"
When capabilities support eventually gets finishes/integrated, then it may
be possible to give gpg the ability to call mlock but not give it any
other special priveleges. When that happens, then we can start using that
functionality again, for whatever it's worth.
In the mean time, if you're really worried about it, just buy an extra
DIMM and turn off swapping.
-Jason
-----------------------------------------------------------------------
I worry about my child and the Internet all the time, even though she's
too young to have logged on yet. Here's what I worry about. I worry
that 10 or 15 years from now, she will come to me and say "Daddy, where
were you when they took freedom of the press away from the Internet?"
-- Mike Godwin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg
iD8DBQE8xNtgswXMWWtptckRAigvAJ9tY3tSqjqyVaFjSgHiiQS/W+p1DACglIt2
dNcZ0pdWg8lbSK9YQJt1Vyc=
=+Rgx
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Gregory Neil Shapiro: "Re: Cleaning suid Binaries (Was: Re: stdio security advisory)"
- Previous message: Chris BeHanna: "Cleaning suid Binaries (Was: Re: stdio security advisory)"
- In reply to: Chris BeHanna: "Cleaning suid Binaries (Was: Re: stdio security advisory)"
- Next in thread: Gregory Neil Shapiro: "Re: Cleaning suid Binaries (Was: Re: stdio security advisory)"
- Reply: Gregory Neil Shapiro: "Re: Cleaning suid Binaries (Was: Re: stdio security advisory)"
- Reply: Jacques A. Vidrine: "Re: Cleaning suid Binaries (Was: Re: stdio security advisory)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
