Response redirected to list. Follow-up set to list. on Thu, Nov 30, 2000 at 07:25:49PM +0000, Adam Langley (agl@linuxpower.org) wrote: > On Thu, Nov 30, 2000 at 03:50:23AM -0800, kmself@ix.netcom.com wrote: > > I'd been getting the "Warning: using shared memory" message from gpg > > since a system upgrade yesterday. Checking, I found that gpg was > > not set SUID. > > > > I've set the SUID bit, but am wondering why this changed. I can't > > find any notes about setting gnupg non-SUID in any of the obvious > > locations, or have I missed something? > > It depends on how much you trust gnupg. Setting it SUID means that is > can lock pages sure. But it also means that it has to be really secure > - if you are running a single-user box then I shouldn't think you're > too bothered that someone could find an exploit - but by default it > should be secure. First, this is somewhat nonresponsive to my question: is there a specific reason why gpg was not SUID? It's possible that postinstall configs didn't run on it, I've had a couple of apt problems in the past day or so. Second, what do you want to trust: a single SUID program, earmarked as a high-priority security issue, or every application running on the box with access to priviledged memory. IM(not overly informed)O runnin a SUID gpg reduces risks to a single known entity, rather than multiple unknown entities. Yes, a compromised gpg could pose a risk on this box, but the alternative is to trust every application which can access these memory blocks. In the balance of risks, I think I'd take a closely watched SUID gpg. This is with a general understanding of issues, but not a close knowledge of the code myself. -- Karsten M. Self <kmself@ix.netcom.com> http://www.netcom.com/~kmself Evangelist, Zelerate, Inc. http://www.zelerate.org What part of "Gestalt" don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org
Attachment:
pgpDvKbCWHhQt.pgp
Description: PGP signature