Re: Which package is responsible for setting rlimits?
Simon Richter <sjr@debian.org> writes:
> Absolutely. The vast majority of users has no need for encrypted swap,
> but might reasonably assume that secret keys are not written unencrypted
> to disk, especially not in a way that is likely to leave them there for
> weeks.
That is not a reasonable assumption. If you don't have encrypted swap,
secret keys may be written unencrypted to disk. The only way to solve
this problem is with encrypted swap.
If you tell someone something else, you're doing them a disservice,
because you're creating an expectation that will not be met by Linux.
Just to take the most obvious point, loads of programs on your system
(such as your web browser!) deal with secret keys, and approximately none
of them are locking memory.
> Expecting users to set up encrypted swap is a fairly steep requirement
> if all they want to do is keep a few kilobytes of secret data actually
> secret.
You do realize how easy it is to set up encrypted swap provided that you
don't use hibernate, right?
> The mlock privilege is largely relevant from a denial-of-service
> standpoint, so I think we come out ahead by allowing a program we trust
> with secret keys to theoretically create memory pressure (which still
> wouldn't spill secret keys to swap).
I would not be at all certain that the only kernel attack surface you're
exposing is denial-of-service.
--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>
Reply to: