Reply to message from Anthony E . Greene on Sat, 30 Dec 2000, 05:44 <-0500>:
> On Fri, 29 Dec 2000 23:04:09 Statux wrote:
> >I get warning/error messages like this one on the end of signed messages..
> >is there something I'm missing? :)
> >
> >----------------------------------------------------------------------
> >gpg: Warning: using insecure memory!
> >gpg: Signature made Fri Dec 29 20:51:40 2000 EST using ELG key ID C0B8AA34
> >gpg: Can't check signature: public key not found
> >----------------------------------------------------------------------
>
> Make gpg suid:
>
> chmod u+s `which gpg`
[ .... ]
Statux, don't know, whether the problem 's already fixed on your machine,
but I was (and I still am) being nerved by this "insecure memory" message
on my machine (til now IIRC it's only Pine spilling out this message), so
I searched around the Net (probably mailing-lists or so ...) some time ago
and found some answers (not being sure whether they're solutions ....) on
various locations there. I just paste them into this mail, more or less
unchanged .... headlines, date or so (for better navigation) were probably
added there by myself this time ...
Separation lines normally *should* mean different places where I found the
stuff, and I cut lines in this mail that I thought were not related to the
subject:
###################################################################
GPG - a Perl2GnuPG interface
[ ... ]
FAQ
Q: How secure is GPG ?
A: As secure as you want... Be carefull. First, GPG is no
more securer than 'gpg'.
Second, all passphrases are stored in non-secure memory, unless
you "chown root" and "chmod 4755" your script first. Third, your
script probably store passpharses somewhere on the disk, and
this is *not* secure.
----------------------------------------------------------------------
perhaps only for mutt:
o <CTRL>F (when using the key phrase to sign or decrypt a message, it
is still in memory. With this you can delete it from memory)
-----------------------------------------------------------------------
First of all, "chmod +s /usr/local/bin/gnupg"..
Then it will use secure memory.
---------------------------------------------------------------------
> When I run anything to do with GnuPG on my home SuSE 6.4 box, I get a
> message saying..."using insecure memory" Is there a way to fix this?
> And anyone have any idea why this is doing this. Also please do not
> reply to me personally since this was written from my SuSE 6.4 box
> sitting behind my firewall....
sudo chown root:root `which gpg`
sudo chmod u+s `which gpg`
gnupg needs root privs to lock the memory pages so they don't get
inadvertantly paged out to disk. (Thereby leaving a plaintext copy of
your "secure" message in disk for others to look at).
---------------------------------------------------------------------------
You will notice that every time you use GPG, it will complain like this:
gpg: Warning: using insecure memory!
GPG can't lock memory pages while you don't run it with 'root'
privileges. So it might be possible to
read out the content of these pages and thus the passphrase. The only
solution would be running GPG
'setuid root' (chmod 4755 /usr/bin/gpg) , but this is also considered a
security risk....
By putting the option no-secmem-warning into '~/.gnu/options', you can
turn off the warning message.
(11.8.2000)
-------------------------------------------------------------------
In mutt you can wipe your PGP passphrase from memory using Ctrl-F.
##################################################################################
Hoping it helps a bit ...
Happy 2001 to everyone here, and thanks for the help I got from many of
you here these last months ( which were my *first* first months here) ...
Thanks to all, good place here with all of you....
Wolfgang
--
http://www.geocities.com/wolfgangpfeiffer/
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
