"Insecure memory" (yes setuid set) and "get_passphrase failed"

gnupg at raf.org gnupg at raf.org
Tue Sep 5 05:40:23 CEST 2017 

Mario Castelán Castro wrote:

> On 03/09/17 17:42, Dan Horne wrote:
> > Warning: using insecure memory!
> > gpg-agent[10073]: command get_passphrase failed: End of file
> > gpg: problem with the agent: End of file
> > gpg: Key generation canceled.
> 
> There seems to be 2 different problems here:
> 
> * That gpg (or gpg-agent) fail when calling pinentry. (the
> “get_passphrase” fail.
> 
> * That memory pages can not be locked (“using insecure memory!”).
> 
> However, I do not know how to solve either.
> 
> My understanding is that “insecury memory” means simply that gpg can not
> lock memory pages so as to reduce the probability that they are written
> to swap. This is only a security concern if an attacker can read the raw
> disk device.
> 
> > Regarding the warning, the recommended response I found via Internet search
> > was:
> > 
> > # chmod u+s /path/to/gpg
> > 
> > This was done, but didn't affect the warning:
> 
> Are you sure that this is required in Solaris? At least in Debian
> GNU/Linux there is no need to setuid the gpg binary to root. Root setuid
> programs are a security problem. If an attacker can get control of this
> program, he can operate with root privileges.

Root privileges are necessary on old operating systems like
Solaris 10 (not sure about 11) and Linux-2.6.8 and earlier
in order to lock pages in memory. It's not needed in modern
OSs (at least not in modern Linux).

Was gpg successfully changed to setuid root? That should have
made the warning go away (if it was gpg rather than pinentry
or gpg-agent producing the warning). But's it's only a warning
anyway. The pinentry problem is the important one to fix.

> Look for what the requirement for locking pages are in the Solaris
> documentation.
> 
> > After a bit more Googling, I tried adding the following to my gpg.conf
> > file, but it caused a syntax error:
> > 
> > pinentry-program /opt/csw/bin/pinentry-curses
> 
> “pinentry-program” is an option of gpg-agent, not gpg. If you want to
> specify this option, you must put it in “$HOME/.gnupg/gpg-agent.conf”.
> 
> -- 
> Do not eat animals; respect them as you respect people.
> https://duckduckgo.com/?q=how+to+(become+OR+eat)+vegan
> 




> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

More information about the Gnupg-users mailing list