[Fwd: perl EUID change causing failure]
Marcel Chastain - Security Administration
mchastain at ipowerweb.com
Tue Aug 1 20:30:14 CEST 2006
David Shaw wrote:
> On Mon, Jul 31, 2006 at 05:21:44PM -0700, Marcel Chastain - Security
> Administration wrote:
>
>> Yeah, I already have a workaround in place, I just wanted to report
>> it to the community/developers. This is a new bug, and I think they'd
>> be interested in why it's happening... Perhaps the gnupg-devel
>> mailing list would be better..?
>>
>
> This is not a bug, and it certainly isn't new behavior. GnuPG will
> not run if the euid does not match the uid. On a number of platforms,
> GnuPG is installed setuid root so it can grab locked/unswappable
> memory. Once it has allocated a block of memory, it drops root privs.
> To prevent any chance of an attacker fooling the system into letting
> it keep root privs, it will halt if euid!=uid.
>
> David
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
>
This is certainly a dirty/harsh/feng-shui-less way of failing/exiting. I
would expect a normal internal check, and an appropriate error message
if this sort of thing is expected, i.e. "Security Violation" or
something similar. I mean, if you change the behavior of a program to
disallow a certain condition, you test for that condition and exit
properly, right..? Perhaps I'm gullible, but when a program tells me
"Ohhhh jeeeee: ... this is a bug"
I tend to think that it is a bug.
But you are right, the program probably thinks that it is being tricked
into keeping root privileges, hence the harsh failure and funky message.
Thanks for your help. ;-)
--
#######################
Marcel C.
Security Administration
iPower, Inc.
More information about the Gnupg-users
mailing list