<<< Date Index >>>     <<< Thread Index >>>

Re: mutt/580: mutt stores PGP passphrase insecurely



On Mon, Oct 24, 2005 at 11:07:40AM -0400, David Shaw wrote:
> On Mon, Oct 24, 2005 at 11:03:15AM -0400, Derek Martin wrote:
> 
> > The only semi-reasonable solution I can think of is to have mutt
> > SUID, allocate a block of memory for storing the passphrase as soon
> > as humanly possible, and drop privileges immediately.  The amount of
> > exposed code should be very minimal...
> 
> Which is what GnuPG does, incidentally.

Indeed, but only if you install it SUID of course.  Which BTW, a
number of Linux distros DON'T do by default.  So if that concerns you,
you should check (Red Hat does not, for example).

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail.  Sorry for the inconvenience.  Thank the spammers.

Attachment: pgpQGt0i6TZjT.pgp
Description: PGP signature