Bug 71644 - gnupg using insecure memory
gnupg using insecure memory
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: gnupg (Show other bugs)
5
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Mike McLean
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-08-15 22:22 EDT by Jay Berkenbilt
Modified: 2007-11-30 17:10 EST (History)
3 users (show)

See Also:
Fixed In Version: FC5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-07 14:10:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jay Berkenbilt 2002-08-15 22:22:31 EDT
Description of Problem:

Whenever gpg is used, it gives the warning:

gpg: Warning: using insecure memory!

This "problem" can be "corrected" by installing gpg setuid root so that it can
lock memory into core, preventing it from being swapped out.

Is there a reason that RedHat's gpg installation does not make the gpg binary
setuid root?  One could argue that the risk of stealing gpg secrets because of
gpg using insecure memory is less serious than the risk of a possible root
exploit resulting in a security hole in a setuid root executable, but one could
also argue that a program that handles secrets should be allowed to use secure
memory...

Version-Release number of selected component (if applicable):

gnupg-1.0.7-5

However, this situation has been true as long as gpg has been issuing this
warning.  I'm certain that RedHat 7.2 and 7.3 at least give this error.  I don't
remember about 7.1, and I don't have anymore 7.1 machines kicking around....

How Reproducible:

always

Steps to Reproduce:
1. run gpg

Actual Results:

You see the warning message

Expected Results:

You decide -- either you shouldn't see the warning message, or this is by design....
Comment 1 Jay Berkenbilt 2003-02-23 14:12:24 EST
I posted this 7 months ago.  I'm just wondering why there's been on activity at
all.  I don't want to nag; I just want to make sure this isn't overlooked, even
if it is fairly unimportant.
Comment 2 Bill Nottingham 2006-08-07 13:21:45 EDT
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still
running Red Hat Linux, you are strongly advised to upgrade to a
current Fedora Core release or Red Hat Enterprise Linux or comparable.
Some information on which option may be right for you is available at
http://www.redhat.com/rhel/migrate/redhatlinux/.

Red Hat apologizes that these issues have not been resolved yet. We do
want to make sure that no important bugs slip through the cracks.
Please check if this issue is still present in a current Fedora Core
release. If so, please change the product and version to match, and
check the box indicating that the requested information has been
provided. Note that any bug still open against Red Hat Linux on will be
closed as 'CANTFIX' on September 30, 2006. Thanks again for your help.
Comment 3 Jay Berkenbilt 2006-08-07 13:55:27 EDT
This issue is still present in FC5.

Well, actually, the warning was removed from gnupg a long time ago, but I it
still remains the case in Fedora Core 5 that gnupg is installed without the
setuid bit and therefore uses insecure memory.  Debian installs gpg setuid root.
 I certainly understand why people might be reluctant to install something
setuid unnecessarily, but it should be safe to do so.  On the other hand, the
chances of password information actually getting written to a swap file are
pretty slim, and anyone who would have access to mine through a swap file would
also have acess to install a trojan gpg, so maybe this is just worth closing
with WONTFIX.
Comment 4 David Shaw 2006-08-07 14:07:12 EDT
(In reply to comment #3)
> This issue is still present in FC5.
> 
> Well, actually, the warning was removed from gnupg a long time ago, but I it
> still remains the case in Fedora Core 5 that gnupg is installed without the
> setuid bit and therefore uses insecure memory.

This is not correct.  The warning is still in place in GnuPG.  The reason the
warning does not show up under FC5 is that FC5 allows for a non-root process
to lock (a small amount of) memory.  Thus on FC5, GnuPG does not need to be
setuid root.

I don't recall which FC began to allow non-root memory locking, but it was
certainly present in FC3.
Comment 5 Bill Nottingham 2006-08-07 14:10:00 EDT
Closing, then.
Comment 6 Jay Berkenbilt 2006-08-07 14:11:22 EDT
Thanks, you're right.  According to the mlock manual page, this was added in
kernel 2.6.9.

Note You need to log in before you can comment on or make changes to this bug.