Re: mutt/580: mutt stores PGP passphrase insecurely
On Mon, Oct 24, 2005 at 11:42:43AM -0400, Derek Martin wrote:
> On Mon, Oct 24, 2005 at 11:07:40AM -0400, David Shaw wrote:
> > On Mon, Oct 24, 2005 at 11:03:15AM -0400, Derek Martin wrote:
> >
> > > The only semi-reasonable solution I can think of is to have mutt
> > > SUID, allocate a block of memory for storing the passphrase as soon
> > > as humanly possible, and drop privileges immediately. The amount of
> > > exposed code should be very minimal...
> >
> > Which is what GnuPG does, incidentally.
>
> Indeed, but only if you install it SUID of course. Which BTW, a
> number of Linux distros DON'T do by default. So if that concerns you,
> you should check (Red Hat does not, for example).
I think the Red Hat methodology is the right one in minimizing the
number of number of SUID binaries. The user can then decide if they
want secure memory or not. GnuPG gives a warning if it can't get
secure memory, so the user even knows to check.
I think it's possible to invest a lot of effort into the whole secure
memory question. It's a real issue, to be sure, but how relevant is
it to most people? For example, it's possible for an attacker with
root access to sniff out a passphrase from swap... but really, if an
attacker had root access, the game was already lost.
David