FreeBSD Memory Pages Not Locked?
S?r?ciya Kurdistan?
sereciya at kurdistan.ath.cx
Wed Apr 16 16:54:58 PDT 2003
Hello,
> > So my question is: does FreeBSD really not have support for
> > locking memory pages?
>
> Not by non root users.
>
> > if this is true, then what is the reason
> > that this has not yet been implemented,
> > is this not an important security feature?
>
> (I assume) because if any user could lock pages in memory, so that it
> could not be swapped, they could cause the system to run low on physical
> memory, resulting in a DoS (Denial of service) attack.
I see. Would having an encrypted swap like in OpenBSD help? ;)
>
> > otherwise... if FreeBSD does in fact have
> > support for locking memory pages, then
> > why am I getting this error message?
>
> Because you haven't made gpg setuid root (chmod u+s /usr/local/bin/gpg
> should achieve that -- but there are security considerations). You should
> either: accept that your passphrase/private key may end up on swap at some
> point; or set the program set-uid root, and accept that any security
> problems in gpg (before the point where it drops privileges) could result
> in your root account being comprimised (and the gpg binary being replaced
> with another one that e-mails your passphrase around the globe).
No no... the question was missinterpreted.
I meant specificaly to say: "if it is the case that FreeBSD does support
locked memory pages (non-root), then why is there an error?" ;)
> The correct solution depends on how paranoid you are, who has access to
> your box, etc.
Thank you. Those are clearly valid considerations. I guess it would
be wise to generate the keys while the box has no network access; this,
rather than to set the suid bit on the binary.
> > If any of you have encountered this problem, and would like
> > to offer some help &| advice, you have a captive audience
> > of at least one, me!
> Most of this was explained in the FAQ that you posted, I'm not entirely
> sure how you didn't understand it,
;) you too did not understand my question properly. I guess it's just
that we're human, right?
> but possibly it's badly worded and i
> just intuitively understand it because I know the answer already.
Having already experienced something makes it seem intuitive to you.
Obviously had I experienced that also, I probably wouldn't be posting
this question which likely seems silly to you, but thanks anway ;)
Very informative, thank you.
--$êrêciya Kurdistanî
+--------------------------------------------------------------+
| Welat xwe ava nake, dest bidin hevdu, pist nedin tu dijminî |
| Riya azadiyê ne hêsan e, hêviya xwe bernedin, dema me |
| nêzîk e. |
| |
| Hevaltî bi kesên du rû nekin, hevaltî bi hevdu ra bikin |
| Ne ji hevaltiya wan kesên pêxwas û rû dirêj, ne bi wan |
| kesên xwînperest, ne jî ji yên din. |
| |
| -$êrêciya Kurdistanî |
+--------------------------------------------------------------+
translation provided on request: sereciya at kurdistan.ath.cx
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20030416/87abac5d/attachment.bin
More information about the freebsd-questions
mailing list