Page MenuHome GnuPG

libgcrypt should not mess with capabilities or uids by default
Closed, ResolvedPublic


The libgcrypt when the secure memory is initialized will either change uids if
real uid != effective uid, or attempt to drop capabilities if compiled with
libpcap support on Linux.

This should not be done in a general purpose crypto library as the application
which is setuid or has extra capabilities to acquire secure memory should drop
these on its own. The application could need these elevated priviledges for
other purposes.

Event Timeline

werner claimed this task.
werner added a project: Not A Bug.

This is not a bug but a feature. If an application does not want this behaviour
it needs to register its own allocation handler.

I am sorry but this is really misfeature rather than a feature. So you basically
say, that if caller of libgcrypt does not want to having it mess with uids and
capabilities it has to copy over about 600 lines from the secmem.c just to
delete the few calls?

Also doesn't the FIPS support require the default allocation handler as it
otherwise cannot guarantee the zeroization promises?

FIPS requires anyway a specific machine and a specific built binary.