Bug#598471: [Pkg-gnupg-maint] Bug#598471: using insecure memory on GNU/kFreeBSD
On Sunday 14 November 2010 23:35:39 Robert Millan wrote: 2010/11/14 Werner Koch w...@gnupg.org: I don't have time to work on this myself. Unless someone else does, I'd still recommend adding the SUID bit as a temporary solution. Might be the easiest way until we have proper disk encryption support. Ok. Thijs, since there were no other objections, would you please go with that option? It's already committed; it will be part of a next upload. Cheers, Thijs signature.asc Description: This is a digitally signed message part.
Bug#598471: [Pkg-gnupg-maint] Bug#598471: using insecure memory on GNU/kFreeBSD
On Sat, 13 Nov 2010 21:38, r...@debian.org said: Yeah, that is a problem. Last weekend I tried to port it but I have a lack of understanding how the Debian packages are supposed to work together; in particular the kernel headers and the various system libraries like libgeom etc. For that we're missing a port of geli utility, figuring out some init.d I'd really like to help here because of the g13 tool of GnuPG which I would like to have support for geli as backend. I even pondered with the idea of rewriting geli and to integrate it closley into g13. The lack of documentation in this area makes it not very easy. I don't have time to work on this myself. Unless someone else does, I'd still recommend adding the SUID bit as a temporary solution. Might be the easiest way until we have proper disk encryption support. P.S. I suggest you update that FAQ ; -) Will do that. It is easier now because I converted the FAQ to orgmode and it will not be distributed with GnuPG anymore. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#598471: [Pkg-gnupg-maint] Bug#598471: using insecure memory on GNU/kFreeBSD
2010/11/14 Werner Koch w...@gnupg.org: I don't have time to work on this myself. Unless someone else does, I'd still recommend adding the SUID bit as a temporary solution. Might be the easiest way until we have proper disk encryption support. Ok. Thijs, since there were no other objections, would you please go with that option? Thanks -- Robert Millan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#598471: [Pkg-gnupg-maint] Bug#598471: using insecure memory on GNU/kFreeBSD
On Wed, September 29, 2010 14:36, Werner Koch wrote: On Wed, 29 Sep 2010 11:41, r...@debian.org said: Upstream recommends [2] setting the SUID bit and assures that the program drops root privileges as soon as locked memory is allocated. However it is much easier and more secure to enable encrypted swap space than to use mlock. It seems that gbde and the init scripts are missing on GNU/kfreebsd. Robert, as I don't have knowledge of GNU/kFreeBSD, can you say whether the suggestion by Werner is indeed a better way to solve this problem? Cheers, Thijs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#598471: [Pkg-gnupg-maint] Bug#598471: using insecure memory on GNU/kFreeBSD
2010/11/13 Thijs Kinkhorst th...@debian.org: Upstream recommends [2] setting the SUID bit and assures that the program drops root privileges as soon as locked memory is allocated. However it is much easier and more secure to enable encrypted swap space than to use mlock. It seems that gbde and the init scripts are missing on GNU/kfreebsd. Robert, as I don't have knowledge of GNU/kFreeBSD, can you say whether the suggestion by Werner is indeed a better way to solve this problem? I disagree. This puts an additional burden on the user. Adding SUID bit doesn't seem like a security problem. Gnupg drops privileges as soon as it's not needed anymore, and upstream recommends this in their FAQ. (Yes I know Werner is upstream, but if it's still in the FAQ I assume he doesn't consider it a bad option) CC'ing debian-bsd -- Robert Millan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#598471: [Pkg-gnupg-maint] Bug#598471: using insecure memory on GNU/kFreeBSD
On Saturday 13 November 2010 14:58:29 Robert Millan wrote: Upstream recommends [2] setting the SUID bit and assures that the program drops root privileges as soon as locked memory is allocated. However it is much easier and more secure to enable encrypted swap space than to use mlock. It seems that gbde and the init scripts are missing on GNU/kfreebsd. Robert, as I don't have knowledge of GNU/kFreeBSD, can you say whether the suggestion by Werner is indeed a better way to solve this problem? I disagree. This puts an additional burden on the user. Adding SUID bit doesn't seem like a security problem. Gnupg drops privileges as soon as it's not needed anymore, and upstream recommends this in their FAQ. (Yes I know Werner is upstream, but if it's still in the FAQ I assume he doesn't consider it a bad option) CC'ing debian-bsd OK, I'll be applying your patch then in the next upload of gnupg. Cheers, Thijs signature.asc Description: This is a digitally signed message part.
Bug#598471: [Pkg-gnupg-maint] Bug#598471: using insecure memory on GNU/kFreeBSD
On Sat, 13 Nov 2010 14:58, r...@debian.org said: I disagree. This puts an additional burden on the user. Adding SUID I can't see why encrypting the swap puts an additional burden on the user or on the machine. If you need to swap/page something you are in either of these situations: - The process is idle for a long time. Thus there should be no burden to the user regarding the extra time it takes for the system to swap it out. The system is anyway under some stress. - There is a severe memory resource shortage and due to the ongoing swap operations in many processes, the system performance is I/O bounded and the CPU has enough time to do that little symmetric encryption. Even without having done any benchmarks I'd enbale swap encryption by default. bit doesn't seem like a security problem. Gnupg drops privileges as soon as it's not needed anymore, and upstream recommends this in their FAQ. Ahemm, the FAQ. Well that beast is old and hopefully the only unmaintained part of GnuPG. The background for the SUID stuff is that back in 1998 encrypted swap partitions were not widely available and disk encryption on GNU/Linux was not available at all (due to US export restrictions). The manual even states (at least I hope) that you should set the SUID bit only if you see the warning, on modern Linux kernels there is no need for it because any process may mlock a few pages which is sufficient. With an encrypted swap partition all stuff could be much much easier. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#598471: [Pkg-gnupg-maint] Bug#598471: using insecure memory on GNU/kFreeBSD
2010/11/13 Werner Koch w...@gnupg.org: I can't see why encrypting the swap puts an additional burden on the user or on the machine. This depends on whether it's the default setting or not. If it's not, it definitely does (just the burden of figuring out what the heck is wrong is already significant for many users). Even without having done any benchmarks I'd enable swap encryption by default. I second that. kFreeBSD disk encryption supports generating one-time keys, which works well for swap: geli onetime -s 4096 /dev/something swapon /dev/something.eli For that we're missing a port of geli utility, figuring out some init.d magic that would replace (or integrate with) swapon -a, and integration with D-I to set the whole thing up. I don't have time to work on this myself. Unless someone else does, I'd still recommend adding the SUID bit as a temporary solution. What do debian-bsd folks think about this? P.S. I suggest you update that FAQ ; -) -- Robert Millan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#598471: using insecure memory on GNU/kFreeBSD
Package: gnupg Version: 1.4.10-4 Severity: normal Tags: patch User: debian-...@lists.debian.org Usertags: kfreebsd gnupg is using insecure memory on GNU/kFreeBSD (unless run as root) because mlock() kernel call is reserved to the super-user [1]: gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information Upstream recommends [2] setting the SUID bit and assures that the program drops root privileges as soon as locked memory is allocated. Patch attached. Note for those coming from google: Aside from this problem, you may also get this error on GNU/kFreeBSD due to hard kernel limit on locked pages. Try increasing vm.max_wired sysctl to be somewhat larger than vm.stats.vm.v_wire_count [1] http://www.freebsd.org/cgi/man.cgi?query=mlockapropos=0sektion=0manpath=FreeBSD+8.1-RELEASEformat=html [2] http://www.gnupg.org/faq.html#q6.1 -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing') Architecture: kfreebsd-amd64 (x86_64) Kernel: kFreeBSD 8.1-1-amd64 Locale: LANG=ca_AD.UTF-8, LC_CTYPE=ca_AD.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages gnupg depends on: ii dpkg1.15.8.4 Debian package management system ii gpgv1.4.10-4 GNU privacy guard - signature veri ii install-info4.13a.dfsg.1-5 Manage installed documentation in ii libbz2-1.0 1.0.5-6 high-quality block-sorting file co ii libc0.1 2.11.2-6 Embedded GNU C Library: Shared lib ii libreadline66.1-3GNU readline and history libraries ii libusb-0.1-42:0.1.12-16 userspace USB programming library ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime Versions of packages gnupg recommends: pn gnupg-curlnone (no description available) ii libldap-2.4-2 2.4.23-6 OpenLDAP libraries Versions of packages gnupg suggests: ii eog 2.30.2-1 Eye of GNOME graphics viewer progr pn gnupg-doc none (no description available) pn libpcsclite1 none (no description available) -- no debconf information diff -ur gnupg-1.4.10.old/debian/rules gnupg-1.4.10/debian/rules --- gnupg-1.4.10.old/debian/rules 2010-09-29 10:58:26.0 +0200 +++ gnupg-1.4.10/debian/rules 2010-09-29 11:30:39.978762382 +0200 @@ -18,6 +18,7 @@ DEB_BUILD_GNU_TYPE = $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) DEB_HOST_GNU_TYPE = $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) DEB_BUILD_ARCH:= $(shell dpkg-architecture -qDEB_BUILD_ARCH) +DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS) CONFARGS = --prefix=/usr --libexecdir=/usr/lib/ \ --enable-mailto --with-mailprog=/usr/sbin/sendmail \ @@ -130,6 +131,11 @@ dh_strip dh_compress dh_fixperms +ifeq ($(DEB_HOST_ARCH_OS),kfreebsd) + # see http://www.gnupg.org/faq.html#q6.1 + chown root:root debian/gnupg/usr/bin/gpg + chmod 4755 debian/gnupg/usr/bin/gpg +endif dh_installdeb dh_shlibdeps -X debian/gnupg/usr/lib/gnupg/gpgkeys_ldap -- -dRecommends $(CURDIR)/debian/gnupg/usr/lib/gnupg/gpgkeys_ldap -dDepends dh_gencontrol
Bug#598471: using insecure memory on GNU/kFreeBSD
On Wed, 29 Sep 2010 11:41, r...@debian.org said: Upstream recommends [2] setting the SUID bit and assures that the program drops root privileges as soon as locked memory is allocated. However it is much easier and more secure to enable encrypted swap space than to use mlock. It seems that gbde and the init scripts are missing on GNU/kfreebsd. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
