<<< Date Index >>>     <<< Thread Index >>>

Re: mutt/580: mutt stores PGP passphrase insecurely



On Fri, Sep 22, 2006 at 13:21:19 +0100, Paul Walker wrote:
> It doesn't do anything except log a debug message if it can't lock/unlock
> memory, which to me seems harmless but it's possible other systems might
> take exception to a non-root process trying to mlock. Could people using
> *BSD, Solaris etc. test this out please?
> 
> We might also want to raise the debuglevel from 3 to something higher once
> it's tested...

> +      if (mlock(PgpPass, sizeof(PgpPass)))
> +     dprint (3, (debugfile, "Couldn't lock passphrase in memory.\n"));

While you're at it, you might want to evaluate the return code of
mlock()/munlock(). My manpage (old Linux 2.4.20 system) has the return
values ENOMEM, EPERM, EINVAL.

Moritz