Bug 32618 - /usr/bin/gpg requires SETUID root to use secure memory
Summary: /usr/bin/gpg requires SETUID root to use secure memory
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: gnupg   
(Show other bugs)
Version: 7.0
Hardware: i386 Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Aaron Brown
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-03-22 01:51 UTC by Christian Conkle
Modified: 2007-04-18 16:32 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-03-22 17:29:09 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Christian Conkle 2001-03-22 01:51:06 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2 i686; en-US; 0.8) Gecko/20010215


The RPM installs /usr/bin/gpg without the SETUID bit set.  This prevents
gpg from using secure memory--it cannot prevent its memory spaces from
being written to the (insecure) virtual memory spaces.  GPG has code to
lose the root permissions after allocating memory, so it seems that the
security implications of having SETUID are less than writing unencrypted
keys to disk (!!!).  With capabilities perhaps we could avoid this, but...

Reproducible: Always
Steps to Reproduce:
1. chmod `which gpg` -s
2. gpg (as non-root)
	

Actual Results:  "gpg: Warning: using insecure memory!"
"gpg: Go ahead and type your message..."

Expected Results:  "gpg: Go ahead and type your message..."

Additional Information:  "rpm -q gnupg: gnupg-1.0.4-9"

Fix: "chmod `which gpg` +s"

Comment 1 Daniel Roesen 2001-03-22 17:29:05 UTC
Hm, I tend to agree, IF the codepath up to dropping root privs is sufficiently
convincing.

Comment 2 Nalin Dahyabhai 2001-04-03 02:00:59 UTC
Use the --no-secmem-warning option to disable this message.  Given the choice
between a hypothetical code vulnerability and the possibility of a malicious
party reading sensitive data from your swap partition, we choose to ship without
the setuid bit set.


Note You need to log in before you can comment on or make changes to this bug.