FreeBSD Memory Pages Not Locked?

S?r?ciya Kurdistan? sereciya at kurdistan.ath.cx
Wed Apr 16 16:54:58 PDT 2003 

Hello,

> >   So my question is:  does FreeBSD really not have support for
> >                       locking memory pages?
> 
> Not by non root users.
>  
> >                       if this is true, then what is the reason
> >                       that this has not yet been implemented,
> >                       is this not an important security feature?
> 
> (I assume) because if any user could lock pages in memory, so that it
> could not be swapped, they could cause the system to run low on physical
> memory, resulting in a DoS (Denial of service) attack.

  I see.  Would having an encrypted swap like in OpenBSD help? ;)

>  
> >                       otherwise... if FreeBSD does in fact have
> >                       support for locking memory pages, then
> >                       why am I getting this error message?
> 
> Because you haven't made gpg setuid root (chmod u+s /usr/local/bin/gpg
> should achieve that -- but there are security considerations).  You should
> either: accept that your passphrase/private key may end up on swap at some
> point; or set the program set-uid root, and accept that any security
> problems in gpg (before the point where it drops privileges) could result
> in your root account being comprimised (and the gpg binary being replaced
> with another one that e-mails your passphrase around the globe).

  No no... the question was missinterpreted.

  I meant specificaly to say: "if it is the case that FreeBSD does support
  locked memory pages (non-root), then why is there an error?" ;)

> The correct solution depends on how paranoid you are, who has access to
> your box, etc.

  Thank you.  Those are clearly valid considerations.  I guess it would
  be wise to generate the keys while the box has no network access; this,
  rather than to set the suid bit on the binary.

> >   If any of you have encountered this problem, and would like
> >   to offer some help &| advice, you have a captive audience
> >   of at least one, me!
 
> Most of this was explained in the FAQ that you posted, I'm not entirely
> sure how you didn't understand it, 

  ;)  you too did not understand my question properly.  I guess it's just
      that we're human, right?

> but possibly it's badly worded and i
> just intuitively understand it because I know the answer already.

  Having already experienced something makes it seem intuitive to you.
  Obviously had I experienced that also, I probably wouldn't be posting
  this question which likely seems silly to you, but thanks anway ;)

  Very informative, thank you.

--$êrêciya Kurdistanî
+--------------------------------------------------------------+
| Welat xwe ava nake, dest bidin hevdu, pist nedin tu dijminî  |
|   Riya azadiyê ne hêsan e, hêviya xwe bernedin, dema me      |
|     nêzîk e.                                                 |
|                                                              |
| Hevaltî bi kesên du rû nekin, hevaltî bi hevdu ra bikin      |
|   Ne ji hevaltiya wan kesên pêxwas û rû dirêj, ne bi wan     |
|     kesên xwînperest, ne jî ji yên din.                      |
|                                                              |
|                                   -$êrêciya Kurdistanî       |
+--------------------------------------------------------------+
  translation provided on request: sereciya at kurdistan.ath.cx
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20030416/87abac5d/attachment.bin

More information about the freebsd-questions mailing list