"Insecure memory" (yes setuid set) and "get_passphrase failed"
Mario Castelán Castro
marioxcc.MT at yandex.com
Tue Sep 5 02:45:55 CEST 2017
On 03/09/17 17:42, Dan Horne wrote:
> Warning: using insecure memory!
> gpg-agent[10073]: command get_passphrase failed: End of file
> gpg: problem with the agent: End of file
> gpg: Key generation canceled.
There seems to be 2 different problems here:
* That gpg (or gpg-agent) fail when calling pinentry. (the
“get_passphrase” fail.
* That memory pages can not be locked (“using insecure memory!”).
However, I do not know how to solve either.
My understanding is that “insecury memory” means simply that gpg can not
lock memory pages so as to reduce the probability that they are written
to swap. This is only a security concern if an attacker can read the raw
disk device.
> Regarding the warning, the recommended response I found via Internet search
> was:
>
> # chmod u+s /path/to/gpg
>
> This was done, but didn't affect the warning:
Are you sure that this is required in Solaris? At least in Debian
GNU/Linux there is no need to setuid the gpg binary to root. Root setuid
programs are a security problem. If an attacker can get control of this
program, he can operate with root privileges.
Look for what the requirement for locking pages are in the Solaris
documentation.
> After a bit more Googling, I tried adding the following to my gpg.conf
> file, but it caused a syntax error:
>
> pinentry-program /opt/csw/bin/pinentry-curses
“pinentry-program” is an option of gpg-agent, not gpg. If you want to
specify this option, you must put it in “$HOME/.gnupg/gpg-agent.conf”.
--
Do not eat animals; respect them as you respect people.
https://duckduckgo.com/?q=how+to+(become+OR+eat)+vegan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170904/0c268a55/attachment.sig>
More information about the Gnupg-users
mailing list