post-installation questions

[David K. Trudgett]

On Sunday 2001-10-07 at 12:27:04 -0400, Justin R. Miller wrote:

> Thus spake Tuomas Pellonpera (tp58494@uta.fi):
> 
> > This may be more serious. Everytime I run gpg, it prints out this
> > complaint, "Warning: using insecure memory." How serious is this, and
> > what could be done about it?
> 
> By default, GnuPG is not installed setuid root, which means that it runs
> as the user invoking it (on UNIX systems, anyway) -- just like 99% of
> your other user software.  If you are not root, then the memory that is
> used to hold the unencrypted data as it is encrypted can possibly be
> swapped to disk (i.e. "virtual memory") and this disk memory could
> theoretically by read by others.  
> 
> As explained in the GnuPG manual, you may set the setuid root bit on the
> binary, which causes it to always run as root, no matter who invokes it.
> Then, root's memory is never swapped to disk.  The reason that GnuPG is

I believe the system call under Linux to allocated non-swappable
("locked") memory can only be executed by a user with root privileges.
This is probably true on most other Unixes, too, because of the scope
for DoS attacks.


> not installed setuid root by default is that there should be some
> caution exercised whenever this bit is set on binaries, as
> vulnerabilities in the software can give root privileges to any local
> user.  
> 
> If you wish to set the bit, have a read of 'man chmod' to see how.
> However, this message is normal unless you do so.  

Sorry, I didn't see the original post, but if the user is running
Windows, it won't be possible to "chmod" it. There is an option to
stop this message being displayed. Put the following line in the GnuPG
"options" file:

no-secmem-warning


or use --no-secmem-warning as a command line option to gpg.

The "options" file is generally in the "~/.gnupg" directory or the
"c:\gnupg" directory.

David Trudgett