[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: libgcrypt brain dead?

Brian May wrote:
> 2. libgcrypt drops root privileges if called setuid on the assumption
> the only reason the program is setuid root is so it can lock memory.
> Unfortunately this breaks every setuid program tat uses PAM when PAM
> is configured to use ldap and ldap is configured to use gnutls,
> because gnutls uses gcrypt.

  An example is pmount, who sometime calls cryptsetup itself relying on


  In that case, the workaround is to call cryptsetup as root, but that
doesn't sound right and could lead to more problems...

  Why gcrypt doesn't leave up to the caller to deal with dropping
privileges ? The not-dropping-privileges hack mentioned by Werner Koch
in #566351 should be fine enough...


Vincent Fourmond, Debian Developer

Comme dit mon tonton: plus on est de cons, plus ça se voit !
 -- La Tordue, Où va-t-on

Vincent, listening to Planet Telex (Radiohead)

Reply to: