Re: mutt/580: mutt stores PGP passphrase insecurely
The following reply was made to PR mutt/580; it has been noted by GNATS.
From: Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
To: bug-any@xxxxxxxxxxxxx, Mutt Developers <mutt-dev@xxxxxxxx>,
96144@xxxxxxxxxxxxxxx, wk@xxxxxxxxx
Cc:
Subject: Re: mutt/580: mutt stores PGP passphrase insecurely
Date: Mon, 10 Oct 2005 12:27:54 +0200
--PuGuTyElPB9bOcsM
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2005-10-09 11:03:25 -0400, Derek Martin wrote:
> Well, this is very far from my area of expertise; but we all know
> someone for whom this kind of issue is near and dear... Does
> Werner have anything to say about this? I could do some
> research, but I think it would be better to get input from
> someone with more experience. FWIW, how does GPG handle this
> problem?
You can run gpg setuid root so the memory that is used for sensitive
information is locked. That helps against having the sensitive
information in your swap partition.
> I admit, at first glance methods of solving this seem... yucky.
> For example, locking memory (so that it does not swap to disk)
> requires root privileges on most platforms... making mutt SUID
> root seems like a very bad idea. But perhaps mutt could have its
> own passphrase agent.
In that case, why not re-use gpg's?
> In the end, you have a point; methods of attacking the passphrase
> in memory require the ability to either assume the user's
> privileges, or assume root privileges. If an attacker can do
> that, most likely all bets are off anyway. For example, if a
> rogue sysadmin were so inclined, he could install a trojaned mutt
> which collects private key passphrases.
> Still, I'd like to hear what others with more experience than I
> have to say about this issue. I think it would be somewhat
> reassuring for users who don't control the system(s) on which
> they use mutt, and don't have access to gpgagent, if some attempt
> at solving this was made.
If you don't control a system and don't trust the people who control
it, then, please, don't process sensitive information on it.
This also applies, by the way, to running gpg-agent or gpg on such
systems.
Regards,
--=20
Thomas Roessler =B7 Personal soap box at <http://log.does-not-exist.org/>.
--PuGuTyElPB9bOcsM
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3-cvs (GNU/Linux)
iIAEARECAEAFAkNKQio5FIAAAAAAFQAbcGthLWFkZHJlc3NAZ251cGcub3Jncm9l
c3NsZXJAZG9lcy1ub3QtZXhpc3Qub3JnAAoJEMrVFmL0y4amtHMAn3VpuIUCwPsV
HQqMTsEa9Q0oqI9jAJ93HccUs1d9DrtO8rQxY/MzCXqwfQ==
=88YE
-----END PGP SIGNATURE-----
--PuGuTyElPB9bOcsM--