Page MenuHome GnuPG
Create Task
Maniphest T1181

libgcrypt should not mess with capabilities or uids by default
Closed, ResolvedPublic
Actions

Description

The libgcrypt when the secure memory is initialized will either change uids if
real uid != effective uid, or attempt to drop capabilities if compiled with
libpcap support on Linux.

This should not be done in a general purpose crypto library as the application
which is setuid or has extra capabilities to acquire secure memory should drop
these on its own. The application could need these elevated priviledges for
other purposes.

Event Timeline

t8m added projects: libgcrypt, Bug Report.Jan 13 2010, 9:32 AM
t8m added a subscriber: t8m.
t8m added a comment.Jan 13 2010, 9:41 AM

See for example here:
http://code.google.com/p/cryptsetup/issues/detail?id=47

werner closed this task as Resolved.Jan 13 2010, 11:24 AM
werner claimed this task.
werner added a project: Not A Bug.

This is not a bug but a feature. If an application does not want this behaviour
it needs to register its own allocation handler.

t8m added a comment.Jan 13 2010, 11:58 AM

I am sorry but this is really misfeature rather than a feature. So you basically
say, that if caller of libgcrypt does not want to having it mess with uids and
capabilities it has to copy over about 600 lines from the secmem.c just to
delete the few calls?

Also doesn't the FIPS support require the default allocation handler as it
otherwise cannot guarantee the zeroization promises?

t8m reopened this task as Open.Jan 13 2010, 11:58 AM
t8m added a subscriber: gmazyland.Jan 13 2010, 12:19 PM
werner closed this task as Resolved.Feb 21 2011, 2:51 PM

FIPS requires anyway a specific machine and a specific built binary.