Bug 32618

Summary: /usr/bin/gpg requires SETUID root to use secure memory
Product: [Retired] Red Hat Linux Reporter: Christian Conkle <christian>
Component: gnupgAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED WONTFIX QA Contact: Aaron Brown <abrown>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: dr
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-03-22 17:29:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christian Conkle 2001-03-22 01:51:06 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2 i686; en-US; 0.8) Gecko/20010215


The RPM installs /usr/bin/gpg without the SETUID bit set.  This prevents
gpg from using secure memory--it cannot prevent its memory spaces from
being written to the (insecure) virtual memory spaces.  GPG has code to
lose the root permissions after allocating memory, so it seems that the
security implications of having SETUID are less than writing unencrypted
keys to disk (!!!).  With capabilities perhaps we could avoid this, but...

Reproducible: Always
Steps to Reproduce:
1. chmod `which gpg` -s
2. gpg (as non-root)
	

Actual Results:  "gpg: Warning: using insecure memory!"
"gpg: Go ahead and type your message..."

Expected Results:  "gpg: Go ahead and type your message..."

Additional Information:  "rpm -q gnupg: gnupg-1.0.4-9"

Fix: "chmod `which gpg` +s"
Comment 1 Daniel Roesen 2001-03-22 17:29:05 UTC 
Hm, I tend to agree, IF the codepath up to dropping root privs is sufficiently
convincing.
Comment 2 Nalin Dahyabhai 2001-04-03 02:00:59 UTC 
Use the --no-secmem-warning option to disable this message.  Given the choice
between a hypothetical code vulnerability and the possibility of a malicious
party reading sensitive data from your swap partition, we choose to ship without
the setuid bit set.