gpg-agent and memory locking
Werner Koch
wk@gnupg.org
Tue Sep 9 11:43:01 2003
On Mon, 8 Sep 2003 21:49:41 -0400, Todd said:
> I'm looking to find out if gpg-agent locks memory to prevent the passphrase
> from getting swapped and if it does, should it also be setuid root as gpg
> (on systems that require root access to lock memory that is)?
Yes it does. However the use of secure memory in gpg-agent needs to
be audited; it is likley that there are places where the passphrase
could pop up in memory.
I have also some severe doubts whether pinentry-qt makes proper use of
secure memory. pinentry-gtk should be better becuase it uses a widget
especially written to protect the passphrase.
> I've found a reference on this list that says it does do this and should be
> setuid but couldn't find anything else.
On those system you need to make it setuid; the usual warning is not
yet printed, though.
--
Werner Koch <wk@gnupg.org>
The GnuPG Experts http://g10code.com
Free Software Foundation Europe http://fsfeurope.org