FreeBSD Memory Pages Not Locked?
Jason Stone
freebsd-performance at dfmm.org
Wed Apr 16 17:10:14 PDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> I recently installed "gpnupg" from the ports collection and
> upon running it (after the key generation), I found myself
> seeing the following error:
>
> gpg: Warning: using insecure memory!
1) This is a question for freebsd-security, not freebsd-performance
2) Yes, freebsd does support locking pages in memory with mlock, but only
root can call mlock. If you make gpg setuid root (chmod 4111 `which gpg`)
then it will be able to mlock and the warning will go away.
However, you must decide if that is a good security practice, because now
bugs in gpg can be used to gain root on that machine, and if an attacker
gains root, he gain just sniff your tty and get your passphrase next time
you enter it. Additionally, other programs on the machine do not mlock
sensitive data into core (think login, sshd, ssh-agent, etc), so you're
already vulnerable to having sensitive data retrieved from swap.
If having sensitive data retrieved from swap is really a concern for you,
run freebsd-5 and use gbde to encrypt your whole swap partition.
3) Or, just add "no-secmem-warning" to your ~/.gnupg/options to silence
the warning. It's really unlikely that an attack on unencrypted data in
swap will ever affect you.
-Jason
--------------------------------------------------------------------------
Freud himself was a bit of a cold fish, and one cannot avoid the suspicion
that he was insufficiently fondled when he was an infant.
-- Ashley Montagu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg
iD8DBQE+nfDlswXMWWtptckRAupFAKDtyHf26X3TsAJ6qh67rQHPqXIT6gCguXmA
A5immbQ9tsm+aN40DXbCxek=
=hllG
-----END PGP SIGNATURE-----
More information about the freebsd-performance
mailing list