David Shaw dshaw at jabberwocky.com
Thu Jun 12 02:57:44 CEST 2008

On Wed, Jun 11, 2008 at 08:11:36PM -0400, Faramir wrote:
> michael graffam escribió:
> >>     Or turn on typescript by default.
> > 
> > 
> > Doesn't save GPG passphrases.
>   Is typescrit some sort of keylogger? If it is, I don't see any reason
> why a keylogger can't catch the gpg passphrase (warning: there may be a
> very good reason for that, it is me the one that doesn't see it).

Typescript is sort of an output keylogger.  It's mainly used to
produce a "script" of a session.  It's true that it doesn't record
passphrases, but you can write a program that does the same thing.

Note, I left out a line of code in the previous example if anyone
wants to try it:


>   So, if there is a way to increase security, I, as end user, would
> welcome it. But we need to always keep in mind security is never
> absolute. The only secure computer, is the one stored inside a safe.

Defending against LD_PRELOAD doesn't actually make GPG safer overall.
It just makes it more complex.

Incidentally, there is a really easy way to "defend" against
LD_PRELOAD in GPG: just make it setuid root.  GPG is smart enough to
see it is setuid root and drop the root privs early, and most dynamic
linkers automatically disable LD_PRELOAD for setuid binaries.


More information about the Gnupg-users mailing list