On Mon, Jul 28, 2008 at 10:54:40PM -0500, Kyle Wheeler wrote: > On Monday, July 28 at 07:56 PM, quoth Derek Martin: > >On Mon, Jul 28, 2008 at 12:58:00PM -0500, Kyle Wheeler wrote: > >> Nothing will be stored in plaintext on disk, your encryption is > >> guaranteed to be world-class, and best of all: it will work on > >> virtually any Unix machine. > > > >...unless bash swaps out the environment... > > ... why, in that example, would bash do that? Well, technically, bash wouldn't... the kernel would. And it would do so because it needs the physical memory where bash is holding its copy of the environment for another process that doesn't fit in free memory (or other reasons)... The kernel has no way to know that the contents of a block of memory are "sensitive" -- nor would it care if it did. > Presumably, you can avoid that by removing the "exec" keyword in the > script? It can only be avoided by calling the mlock() system call (or equivalent, in the case some OS has called it something else) on the appropriate block of memory, which typically requires root privileges on Unix systems. However, even if you could get bash to do this, its child processes may (and generally will) have their own copy of the environment, which might also get swapped out... The risk here is tiny, but non-zero. Someone would have to be able to gain root priviledges to read the raw swap device to get your passphrase. You'd ought to trust the actual root user, as root can just snarf your passphrase out of memory... but a root exploit would expose you to risk of having your passphrase stolen by a non-root user. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail due to spam prevention. Sorry for the inconvenience.
Attachment:
pgpUlHv_mYEMm.pgp
Description: PGP signature