Problems with private keyring?
Matthias Urlichs
smurf at noris.de
Thu Mar 22 18:00:02 CET 2001
Hi,
Arno Wagner:
> However as Werner Koch pointed out this is comparable to an
> attack that replaces the GunPG binary with a trojan horse.
Not quite.
> as root it depends. I would say hacking an individual user
> with good password is not significantly easier than hacking
> root.
... unless you have an insecure NFS environment (even if root is mapped
to nobody, anybody can access anybody else's home network directory
by locally creating a user with the same UID).
This method can be used to gain the target's UID on their workstation
if network logins are allowed and setuid on the network volumes is not
disabled, or if there's a security hole on the target system, or ...
There are many places out there who have neither of these security
problems plugged. :-/ Thus I agree that while panic is inappropriate,
we shouldn't trivialize the problem either. It _does_ allow some people
to gain access to secret keys who couldn't get it so otherwise.
--
Matthias Urlichs | noris network AG | http://smurf.noris.de/
More information about the Gnupg-devel
mailing list