Red Hat Bugzilla – Bug 51913
/usr/bin/gpg needs setuid root for memory locking
Last modified: 2007-04-18 12:35:59 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2-2 i686; en-US; rv:0.9.1)
Description of problem:
Per the last paragraph in 'man gpg', gpg attempts to allocate locked memory
so it can ensure that the memory is not paged to disk. If gpg cannot
allocate locked memory, it gives warning about using insecure memory.
Package should consider 'chmod +s /usr/bin/gpg' to avoid the insecure
memory security risk. It is understood that setuid is a different kind of
security risk. :)
I'm not sure which way the packager should balance security... the
integrity of the machine or the integrity of the user's information. In
this case, I personally would favor the integrity of my encrypted information.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install latest gpg package. Note or ensure no setuid mode on gpg.
2. Use gpg to verify a signature or to encrypt or decrypt data.
3. Note the warning about insecure memory goes away if gpg is setuid root.
Actual Results: Without setuid root, gpg complains about having to use
insecure (pageable) memory.
Expected Results: With setuid root, gpg is able to ensure its allocated
memory will not be paged to disk, and gives no warning.
See 'man gpg', last paragraph.
*** Bug 56846 has been marked as a duplicate of this bug. ***
*** This bug has been marked as a duplicate of 19897 ***