[Fwd: perl EUID change causing failure]

Marcel Chastain - Security Administration mchastain at ipowerweb.com
Tue Aug 1 20:30:14 CEST 2006


David Shaw wrote:
> On Mon, Jul 31, 2006 at 05:21:44PM -0700, Marcel Chastain - Security 
> Administration wrote:
>  
>> Yeah, I already have a workaround in place, I just wanted to report 
>> it to the community/developers. This is a new bug, and I think they'd 
>> be interested in why it's happening... Perhaps the gnupg-devel 
>> mailing list would be better..?
>>     
>
> This is not a bug, and it certainly isn't new behavior.  GnuPG will
> not run if the euid does not match the uid.  On a number of platforms,
> GnuPG is installed setuid root so it can grab locked/unswappable
> memory.  Once it has allocated a block of memory, it drops root privs.
> To prevent any chance of an attacker fooling the system into letting
> it keep root privs, it will halt if euid!=uid.
>
> David
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
>   

This is certainly a dirty/harsh/feng-shui-less way of failing/exiting. I 
would expect a normal internal check, and an appropriate error message 
if this sort of thing is expected, i.e. "Security Violation" or 
something similar. I mean, if you change the behavior of a program to 
disallow a certain condition, you test for that condition and exit 
properly, right..? Perhaps I'm gullible, but when a program tells me

"Ohhhh jeeeee: ... this is a bug"

I tend to think that it is a bug.

But you are right, the program probably thinks that it is being tricked 
into keeping root privileges, hence the harsh failure and funky message. 
Thanks for your help. ;-)

-- 

#######################
Marcel C.
Security Administration
iPower, Inc.




More information about the Gnupg-users mailing list