Re: Which package is responsible for setting rlimits?

To: debian-devel@lists.debian.org
Subject: Re: Which package is responsible for setting rlimits?
From: Russ Allbery <rra@debian.org>
Date: Mon, 01 Feb 2021 11:09:48 -0800
Message-id: <[🔎] 87h7mvli4j.fsf@hope.eyrie.org>
In-reply-to: <[🔎] YBhPMK99dQA7i56D@momentum.pseudorandom.co.uk> (Simon McVittie's message of "Mon, 1 Feb 2021 18:57:52 +0000")
References: <YBgJIUVs/IeDgUYR@momentum.pseudorandom.co.uk> <[🔎] 87tuqvlllb.fsf@hope.eyrie.org> <[🔎] YBhPMK99dQA7i56D@momentum.pseudorandom.co.uk>

Simon McVittie <smcv@debian.org> writes:
> On Mon, 01 Feb 2021 at 09:54:56 -0800, Russ Allbery wrote:

>> Does this serve any useful purpose?

> Honestly, probably not, but removing security hardening (however
> dubious) is a regression, and if I remove it I'm sure there'll be a CVE
> ID on the way shortly.

I would argue that removing the capability bit on that binary is a
security improvement rather than a regression.  I think it's more likely
there is an exploit path in the program than that someone's security will
be compromised by someone pulling keys from an unencrypted swap partition
(that couldn't have been just as easily compromised in some other way).

In general, protecting against attackers with physical access to your
system is not a realistic threat model for the average user, and if you're
not the average user and need to worry about this, you need to be using
disk encryption, not inconsistently-applied memory pinning.

My recollection is that Ferguson, et al. are quite dubious about memory
pinning approaches in _Cryptography Engineering_ because (a) you will
almost certainly not manage to pin all the memory that you need to pin
because keys get everywhere in a running program, and (b) the level of
additional complexity including security complexity is not worth the
dubious gains.

>> If someone cares about this type of security, they should put swap on
>> an encrypted file system

> Sure, you know that, and I know that, but existing systems don't have
> it.

I wonder if we could say something in the release notes or elsewhere to
encourage people to move in this direction.

Linux upstream doesn't seem very enthused about supporting hibernation, so
maybe we should similarly not be enthused about supporting hibernation and
just enable encrypted swap with ephemeral keys by default, with a warning.
If someone configures FDE, we would, of course, move swap into the FDE
scheme as well (thus enabling hibernation again).  If someone wants
hibernation without FDE, they can always turn off the ephemeral
encryption.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

References:
- Which package is responsible for setting rlimits?
  - From: Simon McVittie <smcv@debian.org>
- Re: Which package is responsible for setting rlimits?
  - From: Russ Allbery <rra@debian.org>
- Re: Which package is responsible for setting rlimits?
  - From: Simon McVittie <smcv@debian.org>

Prev by Date: Re: Which package is responsible for setting rlimits?
Next by Date: Re: Which package is responsible for setting rlimits?
Previous by thread: Re: Which package is responsible for setting rlimits?
Next by thread: Re: Which package is responsible for setting rlimits?
Index(es):
- Date
- Thread