Re: OpenSSH uploaded replacing ssh, please test

To: Tommi Virtanen <tv@debian.org>
Cc: debian-devel@lists.debian.org, recipient list not shown: ;
Subject: Re: OpenSSH uploaded replacing ssh, please test
From: Jules Bean <jmlb2@hermes.cam.ac.uk>
Date: Thu, 4 Nov 1999 23:11:54 +0000 (GMT)
Message-id: <Pine.SOL.4.10a.9911042309270.17870-100000@red.csi.cam.ac.uk>
In-reply-to: <19991105000053.A20053@hq.yok.utu.fi>

On Fri, 5 Nov 1999, Tommi Virtanen wrote:

> On Thu, Nov 04, 1999 at 12:10:49PM -0500, Daniel Burrows wrote:
> > On Thu, Nov 04, 1999 at 06:36:53PM +0200, Tommi Virtanen was heard to say:
> > >         I am no X expert, but I don't think there's more to do
> > >         than that. Unless you want to lock the pages into memory
> > >         etc..
> >   Actually, I was about to ask whether it's possible to do this (lock memory)
> > without making it suid ;-)
> > 
> >   This would probably be a Good Idea..although if the standard askpass doesn't
> > do it leaving it out for now is probably ok (since you won't be any less secure
> > at any rate..)
> 
> 	I believe that would need suid access, which is very
>         inappropriate for Perl/Tk. Quoting gpg(1):
> 
> --8<--
> BUGS
>        On many  systems  this  program  should  be  installed  as
>        setuid(root).  This  is  necessary  to  lock memory pages.
>        Locking memory pages prevents the  operating  system  from
>        writing  memory  pages to disk. If you get no warning mes
>        sage about insecure memory your operating system  supports
>        locking  without being root. The program drops root privi
>        leges as soon as locked memory is allocated.
> --8<--

ObOnTopic: This thread is drifting off topic. My personal feeling is that
these fundamental ideas about security are relevant to debian development
as a whole, and hence OK.  I hope you agree :)

How does this help?  Pages written to disk can only be accessed by people
with root access.  And if you don't trust root on a given machine, you're
lost anyway (they could easily, for example, replace gpg or ssh with a
trojan).  Have I missed something?

Jules

/----------------+-------------------------------+---------------------\
|  Jelibean aka  | jules@jellybean.co.uk         |  6 Evelyn Rd	       |
|  Jules aka     | jules@debian.org              |  Richmond, Surrey   |
|  Julian Bean   | jmlb2@hermes.cam.ac.uk        |  TW9 2TF *UK*       |
+----------------+-------------------------------+---------------------+
|  War doesn't demonstrate who's right... just who's left.             |
|  When privacy is outlawed... only the outlaws have privacy.          |
\----------------------------------------------------------------------/

Reply to:

Follow-Ups:
- Re: OpenSSH uploaded replacing ssh, please test
  - From: David Benson <daveb@idealab.com>

References:
- Re: OpenSSH uploaded replacing ssh, please test
  - From: Tommi Virtanen <tv@debian.org>

Prev by Date: Giving away all my packages
Next by Date: Re: Giving away all my packages
Previous by thread: Re: OpenSSH uploaded replacing ssh, please test
Next by thread: Re: OpenSSH uploaded replacing ssh, please test
Index(es):
- Date
- Thread