Re: OpenSSH uploaded replacing ssh, please test
On Fri, 5 Nov 1999, Tommi Virtanen wrote:
> On Thu, Nov 04, 1999 at 12:10:49PM -0500, Daniel Burrows wrote:
> > On Thu, Nov 04, 1999 at 06:36:53PM +0200, Tommi Virtanen was heard to say:
> > > I am no X expert, but I don't think there's more to do
> > > than that. Unless you want to lock the pages into memory
> > > etc..
> > Actually, I was about to ask whether it's possible to do this (lock memory)
> > without making it suid ;-)
> >
> > This would probably be a Good Idea..although if the standard askpass doesn't
> > do it leaving it out for now is probably ok (since you won't be any less secure
> > at any rate..)
>
> I believe that would need suid access, which is very
> inappropriate for Perl/Tk. Quoting gpg(1):
>
> --8<--
> BUGS
> On many systems this program should be installed as
> setuid(root). This is necessary to lock memory pages.
> Locking memory pages prevents the operating system from
> writing memory pages to disk. If you get no warning mes
> sage about insecure memory your operating system supports
> locking without being root. The program drops root privi
> leges as soon as locked memory is allocated.
> --8<--
ObOnTopic: This thread is drifting off topic. My personal feeling is that
these fundamental ideas about security are relevant to debian development
as a whole, and hence OK. I hope you agree :)
How does this help? Pages written to disk can only be accessed by people
with root access. And if you don't trust root on a given machine, you're
lost anyway (they could easily, for example, replace gpg or ssh with a
trojan). Have I missed something?
Jules
/----------------+-------------------------------+---------------------\
| Jelibean aka | jules@jellybean.co.uk | 6 Evelyn Rd |
| Jules aka | jules@debian.org | Richmond, Surrey |
| Julian Bean | jmlb2@hermes.cam.ac.uk | TW9 2TF *UK* |
+----------------+-------------------------------+---------------------+
| War doesn't demonstrate who's right... just who's left. |
| When privacy is outlawed... only the outlaws have privacy. |
\----------------------------------------------------------------------/
Reply to: