This is on purpose. By looking at all kind of different places you would get
whatever version is installed there and run into trouble figuring out how to
update it. Thus if your gpg-error is installed at a different place you should use
./configure --with-gpg-error-prefix=/usr
to tell configure to use the system provide libgpg-error. In general it is
better to use the latest libgpg-error, though.
Based on aheinecke's comments I'm closing this.
c) Run gpg-agent under gdb
d) Run a modified gpg-agent (rm ~/S.gpg-agent; my-gpg-agent --daemon)
e) Hook into the tty and use pinentry-curses
f) scp ~/.gnupg/private-keys-v1.d/* mybox: and sniff the passphrase.
so far, the proposed mechanisms for getting at gpg-agent's memory from a peer
process running as the same user are:
a) ptrace (e.g. via /usr/bin/gcore or /usr/bin/strace)
b) /proc/$PID/mem, which is owned by the user and mode 0600
DarkStarSword's patch effectively closes (a) (by rejecting ptrace connections)
and appears on my GNU/Linux system to close (b) as well: /proc/$PID/mem is
root-owned when the patch is applied instead of being user-owned.
Are there other channels for per-process memory access that we should be
thinking about?
I agree with Werner and Neal that the UNIX model is probably insufficient to
close all the holes easily, but i also don't think that's a good reason to avoid
closing those holes we can close.
If there are other ways that another process by the same user can get at the
RAM, please point them out and i'll look into ways to address them too.
In the meantime, i'll also look into ways to facilitate running the process as a
separate user account entirely.
I am closing this.
BTW: I can't share DarkStarSword's fear about prioritizing ease of debugging
over security - I would never do that for a real security problem; Neal and me
both explained why this proposed fix does can't help against an attack.
I'm going to introduce the prctl(SET_DUMPABLE, 0) change to main in
agent/gpg-agent.c in the debian 2.1.x series as of 2.1.7-1, using the patch i'm
attaching here.
I make no representations that this solves all possible memory leakages, but it
does address one specific and relatively straightforward attack.
As to Werner's legitimate concerns about making debugging harder, there remain
at least two options: ptrace as the superuser, and launching gpg-agent itself
under gdb directly.
If this experiment proves disastrous somehow (i'm not seeing how), we can always
revert the patch.
Glad I was able to help get one bug fixed at least :)
The in-memory encryption will definitely help in this scenario (that is, a
casual attack by e.g. a colleague or another student having a laugh as their
friend left their screen unlocked... real attack - I should know, I've done it,
and had it done to me, as had several of my friends back in uni (to be fair -
that was on Firefox password manager, but it could just as easily have been
gpg-agent)... This is not about stopping a motivated attacker with physical
access to the system as they could always subvert the system in other ways e.g.
adding a shell alias to run a trojaned gpg-agent instead of the real thing,
install a key logger, etc).
I'm still not super happy that a casual attacker could walk away with a core
file containing the encrypted passphrase and the key to decrypt it. What started
as a casual attack for a laugh could later transform into a more serious attack
given that they can hold onto this information indefinitely. I'm not a motivated
attacker, but that would tempt the hell out of me if I was even slightly so
inclined. I should know, because I've been in a similar situation in the past
where I obtained an unshadowed passwd file (through a purely casual attack when
I was looking up a friend's uid and discovered the passwd file was not
shadowed... so of course I made a copy). I could have left it alone, but it
tempted the hell out of me and I ended up running john over it for two straight
weeks (never did much with the result, but that's not the point)!
I would hope that the developers of any security product learns to think like an
attacker.
I must say I am deeply troubled by the priority seeming to be on the ease of
debugging a security product which has the sole purpose of keeping a passphrase
safe. As the saying goes security is always a trade-off, but given that
gpg-agent is a security product and not a word processor, this particular trade
off does not sit right with me. I would expect the development team to have root
access on their own systems, which avoids the issue as the root user can always
attach a debugger with or without this change - is there truly a reason that
they need to attach to a running gpg-agent on a system they don't have root on?
And what about the thousands of gpg-agents running on other systems in the wild
that should never need to attach a debugger (and if they do... sudo)?
The information about FIPS mode and SELinux is good to know, at least for people
running distributions that support and enable them by default. But from what I
can gather FIPS mode is a RHEL only feature (I may be wrong - I'm not all that
familiar with it), and SELinux is still either not enabled, or in permissive
mode in many distributions by default (including Debian and Ubuntu).
As I mentioned in the original report, an alternative way to protect the memory
of gpg-agent is to install it with the setgid bit set (ssh-agent does both the
prctl() and setgid for example - now there's some developers I applaud). Unlike
SELinux and FIPS mode this works in every distribution and has been supported
for donkeys years.
This identified another bug: To be prepared for FIPS evaluation,
gpg-agent does not store the cached passphrases in the clear but
encrypts them in memory. Right this is security by obscurity but if
we ever have a way to store that key in a secured RAM (e.g. TPM, ARM
TrustZone) we can indeed limit the time a passphrase is available in
the clear to the period it is really needed. This all seems to work
but your tests shows that libassuan does not clear its internal line
buffers so that you can actually find the passphrase in the core
file. I just pushed a fix for this.
IIRC, FIPS mode in Linux inhibits all access to process memory system
wide. Changing this just a for a single user process does not make
much sense.
Further, being able to attach to a running processing is one of the
best debug methods we have. Giving up on this without for a perceived
extra protection is not going to work. There are too many ways to get
the passphrase using other ways. Linux can't protect a user to get
data belonging to him. Iff gpg-agent were a system daemon things
would be different and extra protection would make sense as a
fallback.
Without this I can do gcore pidof gpg-agent and QUITE CLEARLY see my
passphrase in the produced dump:
ian@draal~ [i]> gcore (pidof gpg-agent) 0x00007fb8f8849293 in __select_nocancel () at
../sysdeps/unix/syscall-template.S:81
81 ../sysdeps/unix/syscall-template.S: No such file or directory. warning: target file /proc/1560/cmdline contained unexpected null characters warning: Memory read failed for corefile section, 8192 bytes at 0x7ffce0a12000. Saved corefile core.1560 0x00007f2dd583c293 in __select_nocancel () at
../sysdeps/unix/syscall-template.S:81
81 ../sysdeps/unix/syscall-template.S: No such file or directory. warning: target file /proc/1540/cmdline contained unexpected null characters warning: Memory read failed for corefile section, 8192 bytes at 0x7ffccfbe3000. Saved corefile core.1540 ian@draal~ [i]> strings core.1560 | grep pass passwd This is my ultra secure passphrase - I definitely expect any program that
manages this to take reasonable steps to keep it safe even if I accidentally
leave my screen unlocked one day!
Invalid passphrase; please try again You need a passphrase to unlock the secret key for user:%0A"test123
<test@test.com>"%0A2048-bit RSA key, ID DE3A7EAB, created 2015-08-06 (main key
ID F459B571)%0A
SETERROR Invalid passphrase; please try again
his is my ultra secure passphrase - IQ
ian@draal~ [i]>With this one line change I cannot do the above - that's the definition of
reducing the attack surface last time I checked.
You absolutely can still use gdb to debug it - you just have to start it under
gdb as opposed to attaching to an existing process, or attach the debugger as
root. You could also just disable the syscall in a debug build.
It does not reduce the attack surface. And yes, it complicates things
because you can't anymore debug the process without changing the code
or using other tricks (aka attack). I have not tested the SELinux
feature for quite some time but gnupg supports SELinux if configured
with --enable-selinux-support. If you want some protection better use
that.
dkg: We disable core dumps for the simple reason that we do not want
to see core files on disk. Disk sectors have a longer lifetime than a
process and a user session - thus avoiding core files is a real world
threat mitigation.
So a single syscall to demonstrably reduce the attack surface really complicates
things does it?
News to me.
I agree with you that the standard UNIX model is generally insufficient here.
Perhaps the distros could weigh in with mechanisms to facilitate
secondary-account creation for agents and the like. I've opened
https://bugs.debian.org/794667 about this.
However, i don't think the weak UNIX permissions model is a reason to avoid a
small piece of code like that offered by DarkStarSword below. Closing off one
avenue of attack is still worthwhile, even if other avenues remain. As werner
said, gpg-agent won't create a coredump (even though other avenues of attack are
possible).
Is there something about the complexity of prctl(PR_SET_DUMPABLE, 0); that makes
it undesirable?
dkg: The problem is that the underlying architecture is broken. Unix's stock
permission model is about protecting users from other users, not protecting
processes from other processes. Thus, I don't think it makes any sense to
complicate the code by implementing these effectively useless protections.
FWIW, a widely used practical system that does a much better job at this is
Android. Android runs every program under its own uid. We could do the same
thing with gpg-agent. In fact, this is currently possible with a little help
from ssh. Unfortunately, this requires a fair amount of work by the user to set
up. In particular, the user needs to create a secondary account. It would be
nice if distributions provided a simply way for an unprivileged user to allocate
additional uids, but this is probably a lot of work.
fwiw, i'd be fine with enabling protection against ptrace for gpg-agent, even if
that doesn't fix all the other ways a process can be attacked from another process.
if there are multiple holes, we should plug the ones we can plug, to increase
the pressure to make the other ones fixable.
That is not a bug. gpg keeps keeps files open and only closes them as needed.
For example before renaming a file under Windows. This is actually the same
uner Windows and Unix but under Unix we have the inode concept and thus we can
rename open files.
Thanks for the log. This reveals a bug which has been with us since the support
for gpgsm: If there is no status line handler but a status line is received
anyway the command handling loop terminates and thus the command/answer order
gets out of sync. In this concrete case this is triggered by sending an option
which starts the agent and that starting emits a "PROGRESS" status line.
My solution is not to stop reading after a status line but record a possible
error code and return that only after OK or ERR.
This will go into 1.5.5 which I am already preparing.
I am unsure I understand, this causes gpgme to fail.
GPGME 2014-12-26 01:12:58 <0x5f44> _gpgme_run_io_cb: call: item=0xd2e804f5b00,
handler (0xd2e804f5970, 13)
GPGME 2014-12-26 01:12:58 <0x5f44> chan_12 <- ERR 50331822 Unknown option <GpgSM>
GPGME 2014-12-26 01:12:58 <0x5f44> gpgme:status_handler: call:
gpgsm=0xd2e804f5970, fd 0xd: ERR line - mapped to: Unknown option
Oh well, resizing the buttons to a new fixed size would be a job in the source
of 10 minutes or so. However, this makes an very ugly Pinentry for every day's
use (i.e. entering a passphrase for an existing key). So, sorry, I won't take
that patch.
With native Windows code I mean native Windows code for GUIs instead of relying
on MFC or whatever is the latest GUI framework MS uses. This is similar to xlib
programm vs. GTK+ programming
Anyway, thanks for looking into this. I will retitle the bug to keep it open.
Maybe eventually someone starts to hack on it.
Well, here's my fix. Using this neat little program I downloaded called
Resource Hacker, I edited the buttons on the dialog box so that they would
be big enough to display the messages needed. Realizing that pinentry.exe
and pinentry-w32.exe were identical files (checking them in a hex editor
with file comparison function showed them to be exactly the same), I just
copied my edited version of pinentry.exe and renamed the copy as
pinentry-w32.exe. I have put both of them in a zip file called
pinentry.zip, and have attached this zip file to this email. Feel free to
distribute this on the official GPG4Win website. Note that the file name of
the attachment is "piz" not "zip", so before you extract its contents (for
use, or posting on your website) you will need to rename it from "piz" back
to "zip". I had to rename it from "zip" to "piz" because otherwise Gmail's
mail server scans inside the zip file and then for blocks it because it
detects exe files (and exe files are a format that can potentially harbor
malware). Even though this has no malware (as you can see by scanning it
with a virus scanner), Google's mail server takes extra precautions by
refusing to allow sending of executable files or even archive files that
contain executable files.
As far as I know, GPG4Win is a compiling/linking of GPG to be Windows
compatible, which means that the code was already altered to work with
Windows. Therefore native Windows code is already in use in the GPG4Win
variant of GPG. Therefore it should work correctly in every respect in
Windows (including correctly sized buttons).
This requires native Windows code to resize a button in a dialog. This is to
much work for something which is basically a debug tool. I have called several
years for help on building a good native Windows tool (without MFC and such) to
no avail.
Feel free to send a working patch to gnupg-devel@
Even so, this is a bug. As such, it should be fixed.
It can be specified by scdaemon's option. Now in 2.0.x and 2.1.x, it does
partial match for PC/SC.
So, this issue is now closed.
Note: for more information about this issue, please refer to:
T1945 https://wiki.gnupg.org/GnomeKeyring
(I've added this here, since this page is one of the top hits on ddg and google
when searching for the warning message.)
Thanks for the information.
I think the complete IDNA and co are an big mining field until to day.
Sure it used and thus read! You only need to look at the code for 5 seconds!
And no, it is not a lock. Read the comment at the var definition.
Yes it is not for a reason - checkout the comments to see why.
No c+p of warnings please! Use gnupg-devel instead.
It is just warning which does not matter if you are using a released tarball.
The next release will support newer autotools and has updated helper files.
Ok, thanks for the feedback.
I noticed your address elsewhere and wondered whether my script can handle it.
They do. However, gpg has not a complete parser but tries to make sure that the
user id looks like a valid address.
Use --allow-freeform-uid and enter what ever you like.
dkg developed a reasonsable patch which will be included in the next 1.4 version.
No bug and I already set this bug to resolved.
Judging by the lack of reply, I assume that this bug won't be fixed, correct?