Problems with private keyring?

Matthias Urlichs smurf@noris.de
Thu Mar 22 18:00:02 2001


Hi,

Arno Wagner:

> However as Werner Koch pointed out this is comparable to an
> attack that replaces the GunPG binary with a trojan horse.
Not quite.
> as root it depends. I would say hacking an individual user
> with good password is not significantly easier than hacking
> root.
... unless you have an insecure NFS environment (even if root is mapped to nobody, anybody can access anybody else's home network directory by locally creating a user with the same UID). This method can be used to gain the target's UID on their workstation if network logins are allowed and setuid on the network volumes is not disabled, or if there's a security hole on the target system, or ... There are many places out there who have neither of these security problems plugged. :-/ Thus I agree that while panic is inappropriate, we shouldn't trivialize the problem either. It _does_ allow some people to gain access to secret keys who couldn't get it so otherwise. -- Matthias Urlichs | noris network AG | http://smurf.noris.de/