PGP swap to disk?

sen_ml@eccosys.com sen_ml@eccosys.com
Tue, 14 Sep 1999 08:48:30 +0900


arth> My admin is balking at making GPG setuid root to prevent swaps to disk.
arth> He says that he's used PGP before, and that it didn't need to be setuid
arth> root.

arth> Is it the case that PGP doesn't address this particular issue, and
arth> therefore swaps to disk can occur?

yes, i think pgp doesn't address this issue.

imho, whether it is installed setuid root is a tradeoff -- one must
balance the swap-to-disk issue w/ potential buffer overflows in gpg
and decide.  

it isn't obvious to me how you can have it both ways w/o changes to
the way unswappable memory (mlock()?) works in certain operating
systems.  if non-root users were allowed to lock a certain amount of
memory (i presume you'd want limits to at least prevent users from
making all memory unswappable) so that that memory became unswappable,
then it doesn't seem like gpg would have to be setuid root.

warning: i am no expert :-)

arth> What attack is being countered by preventing a swap to disk?

someone else has explained it well already, i think :-)

btw, do you log in to this machine over the network?  i'd be pretty
concerned if so -- wouldn't it mean that your passphrase goes over
the network?  (even if it is encrypted over ssh, i wouldn't feel
comfortable...)