[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: gpg: "Warning: using shared memory" - SUID?

Response redirected to list.
Follow-up set to list.

on Thu, Nov 30, 2000 at 07:25:49PM +0000, Adam Langley (agl@linuxpower.org) wrote:
> On Thu, Nov 30, 2000 at 03:50:23AM -0800, kmself@ix.netcom.com wrote:
> > I'd been getting the "Warning: using shared memory" message from gpg
> > since a system upgrade yesterday.  Checking, I found that gpg was
> > not set SUID.
> > 
> > I've set the SUID bit, but am wondering why this changed.  I can't
> > find any notes about setting gnupg non-SUID in any of the obvious
> > locations, or have I missed something?
> It depends on how much you trust gnupg. Setting it SUID means that is
> can lock pages sure. But it also means that it has to be really secure
> - if you are running a single-user box then I shouldn't think you're
> too bothered that someone could find an exploit - but by default it
> should be secure.

First, this is somewhat nonresponsive to my question:  is there a
specific reason why gpg was not SUID?  It's possible that postinstall
configs didn't run on it, I've had a couple of apt problems in the past
day or so.

Second, what do you want to trust:  a single SUID program, earmarked as
a high-priority security issue, or every application running on the box
with access to priviledged memory.  

IM(not overly informed)O runnin a SUID gpg reduces risks to a single
known entity, rather than multiple unknown entities.  Yes, a compromised
gpg could pose a risk on this box, but the alternative is to trust every
application which can access these memory blocks.  In the balance of
risks, I think I'd take a closely watched SUID gpg.  This is with a
general understanding of issues, but not a close knowledge of the code

Karsten M. Self <kmself@ix.netcom.com>     http://www.netcom.com/~kmself
 Evangelist, Zelerate, Inc.                      http://www.zelerate.org
  What part of "Gestalt" don't you understand?      There is no K5 cabal
   http://gestalt-system.sourceforge.net/        http://www.kuro5hin.org

Attachment: pgpDvKbCWHhQt.pgp
Description: PGP signature

Reply to: