False insecure memory warnings...

gabriel rosenkoetter gr@eclipsed.net
Fri Apr 4 20:59:01 2003

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Apr 04, 2003 at 12:51:42PM -0500, David Shaw wrote:
> Very interesting.  There are a few other reasons that GnuPG might be
> unable to get secure memory.  Being not setuid root (on those
> platforms that need it) is only the most common.

What is GnuPG's definition of "secure memory"? Does it have to be
wired kernel memory (to avoid being paged)?

I really hope that NetBSD's sysctls for this didn't change between
1.5 and 1.6; it'll harm binary package compatibility.

> What happens if you run this program out of cron in the same way
> (zsh -c 'time testprog').

Results for all my test cases:

> 52 13 * * * suidtest
UID: 1000
EUID: 0 =20

> 52 13 * * * /usr/local/bin/suidtest
UID: 1000
EUID: 0 =20

> 52 13 * * * time suidtest
UID: 1000
EUID: 0 =20
        1.10 real         0.00 user         0.06 sys

> 52 13 * * * zsh -c 'time suidtest'
UID: 1000
EUID: 0 =20
suidtest  0.00s user 0.06s system 2% cpu 2.046 total

> 52 13 * * * zsh -c 'time /usr/local/bin/suidtest'
UID: 1000
EUID: 0 =20
/usr/local/bin/suidtest  0.02s user 0.06s system 6% cpu 1.267 total

So euid isn't the problem, then.

Back to "what's GnuPG do to secure memory"? (Pointing me at the
right source file would be plenty...)

> The other obvious thing to try is to rebuild GnuPG to see if something
> changed in the underlying libraries when you upgraded NetBSD (you may
> have done this already).

Yeah, I do wonder if it's that... but I'm a little reluctant just to
blow away the problem version, since it'd make it hard to figure out
exactly what's causing this. :^>

I am building a new version of GnuPG in exactly the same way
(NetBSD's pkgsrc/security/gnupg), I just won't install it (yet).
(This is only a 300 MHz PowerPC G3 and a mere 20 MB/s SCSI disk,
so I'll let you know when I get a chance to test that version. :^>)

gabriel rosenkoetter

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.1 (NetBSD)