Bug 32618 - /usr/bin/gpg requires SETUID root to use secure memory
/usr/bin/gpg requires SETUID root to use secure memory
Status: CLOSED WONTFIX
Product: Red Hat Linux
Classification: Retired
Component: gnupg (Show other bugs)
7.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Aaron Brown
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-03-21 20:51 EST by Christian Conkle
Modified: 2007-04-18 12:32 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-03-22 12:29:09 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Christian Conkle 2001-03-21 20:51:06 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2 i686; en-US; 0.8) Gecko/20010215


The RPM installs /usr/bin/gpg without the SETUID bit set.  This prevents
gpg from using secure memory--it cannot prevent its memory spaces from
being written to the (insecure) virtual memory spaces.  GPG has code to
lose the root permissions after allocating memory, so it seems that the
security implications of having SETUID are less than writing unencrypted
keys to disk (!!!).  With capabilities perhaps we could avoid this, but...

Reproducible: Always
Steps to Reproduce:
1. chmod `which gpg` -s
2. gpg (as non-root)
	

Actual Results:  "gpg: Warning: using insecure memory!"
"gpg: Go ahead and type your message..."

Expected Results:  "gpg: Go ahead and type your message..."

Additional Information:  "rpm -q gnupg: gnupg-1.0.4-9"

Fix: "chmod `which gpg` +s"
Comment 1 Daniel Roesen 2001-03-22 12:29:05 EST
Hm, I tend to agree, IF the codepath up to dropping root privs is sufficiently
convincing.
Comment 2 Nalin Dahyabhai 2001-04-02 22:00:59 EDT
Use the --no-secmem-warning option to disable this message.  Given the choice
between a hypothetical code vulnerability and the possibility of a malicious
party reading sensitive data from your swap partition, we choose to ship without
the setuid bit set.

Note You need to log in before you can comment on or make changes to this bug.