Insecure memory error -GnuPG on HPUX

Kim Harris kim@entrix.co.uk" <kim@entrix.co.uk
Thu, 23 Sep 1999 10:35:06 +0100 

Thanks to Michael Roth and Dave Harvill for responses to this. 
I have now setuid(root) on /usr/local/bin/gpg but the problem
still occurs unless I turn off the warning. Obviously I would 
rather cure the problem than the symptom. 

I did a chmod +s gpg from root and it now shows as 
-rwsr-sr-x   1 root       sys        3795476 Sep 17 15:27 gpg

but I still get the error:
gpg: Warning: using insecure memory!

Is it insufficient to set the bits or is there something else I need
to do during the install? The make install was done from root.

TIA
Kim Harris

-----Original Message-----
From:	Michael Roth [SMTP:mroth@nessie.de]
Sent:	Thursday, September 23, 1999 9:20 AM
To:	Kim Harris
Cc:	'gnupg-users@gnupg.org'
Subject:	Re: Insecure memory error -GnuPG on HPUX

On Wed, 22 Sep 1999, Kim Harris wrote:


> gpg: Warning: using insecure memory!  


This message tells you, that GnuPG can't lock memory pages to prevent
paging for secret data. Quote from the GnuPG manpage:

       On many  systems  this  program  should  be  installed  as
       setuid(root).  This  is  necessary  to  lock memory pages.
       Locking memory pages prevents the  operating  system  from
       writing  memory  pages to disk. If you get no warning mes-
       sage about insecure memory your operating system  supports
       locking  without being root. The program drops root privi-
       leges as soon as locked memory is allocated.

Because your OS doesn't support locking without being setuid(root) you
will see this message. Their are two was to get rid of this message:

 1.) Install GnuPG setuid(root). This will make GnuPG more secure.

 2.) Use the option --no-secmem-warning. You can use this option in
     your config file. Please note: The danger will remain that the OS
     could page secret data to the swap partition!



> I can't find any reference to it in the docs unless it is to

> do with memory guard. The configure was run with 

> --enable-m-guard

> but that doesn't make any difference. 


--enable-m-guard are only for developers. This ist to help finding memory
leaks and errors. This configure option is not for end users.


cu
		Michael