Bug 71644
Summary: | gnupg using insecure memory | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jay Berkenbilt <ejb> |
Component: | gnupg | Assignee: | Nalin Dahyabhai <nalin> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Mike McLean <mikem> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5 | CC: | dshaw, ejb, notting |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | FC5 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-08-07 18:10:00 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jay Berkenbilt
2002-08-16 02:22:31 UTC
I posted this 7 months ago. I'm just wondering why there's been on activity at all. I don't want to nag; I just want to make sure this isn't overlooked, even if it is fairly unimportant. Red Hat Linux is no longer supported by Red Hat, Inc. If you are still running Red Hat Linux, you are strongly advised to upgrade to a current Fedora Core release or Red Hat Enterprise Linux or comparable. Some information on which option may be right for you is available at http://www.redhat.com/rhel/migrate/redhatlinux/. Red Hat apologizes that these issues have not been resolved yet. We do want to make sure that no important bugs slip through the cracks. Please check if this issue is still present in a current Fedora Core release. If so, please change the product and version to match, and check the box indicating that the requested information has been provided. Note that any bug still open against Red Hat Linux on will be closed as 'CANTFIX' on September 30, 2006. Thanks again for your help. This issue is still present in FC5. Well, actually, the warning was removed from gnupg a long time ago, but I it still remains the case in Fedora Core 5 that gnupg is installed without the setuid bit and therefore uses insecure memory. Debian installs gpg setuid root. I certainly understand why people might be reluctant to install something setuid unnecessarily, but it should be safe to do so. On the other hand, the chances of password information actually getting written to a swap file are pretty slim, and anyone who would have access to mine through a swap file would also have acess to install a trojan gpg, so maybe this is just worth closing with WONTFIX. (In reply to comment #3) > This issue is still present in FC5. > > Well, actually, the warning was removed from gnupg a long time ago, but I it > still remains the case in Fedora Core 5 that gnupg is installed without the > setuid bit and therefore uses insecure memory. This is not correct. The warning is still in place in GnuPG. The reason the warning does not show up under FC5 is that FC5 allows for a non-root process to lock (a small amount of) memory. Thus on FC5, GnuPG does not need to be setuid root. I don't recall which FC began to allow non-root memory locking, but it was certainly present in FC3. Closing, then. Thanks, you're right. According to the mlock manual page, this was added in kernel 2.6.9. |