Bug#368297: About the libgcrypt and OpenLDAP issue

[Werner Koch]

On Fri, 19 Apr 2013 20:15, clopez at igalia.com said:

> What about removing this feature of dropping privileges from libgcrypt
> and adding it to gpg itself? gpg could check if is run suid and drop

I already explained that this is not possible because we can't know the
applications which rely on this behaviour.  The packages in Debian are
by far not the only software in use by Debian users.  Most software is
production critical software which assumes that thee OS (e.g. Debian)
does its job right.  Thus it is irresponsible to sneak in such a change.

> Otherwise is just impossible for any suid application (that wants to
> stay suid) to use the libgcrypt secmem feature. Developers of this

Any suid application using libgcrypt/gnutls/openldap/complex-o-code
before dropping privileges is a sleeping security problem.  You will
never be able to get them right.  We are now in 2013 and over the course
of the last two decades (and the rise of the Internet as an unfriendly
place) all programmer should have learned that they need to take great
care with suid code and that code size matters.

Having said this, I don't see a reason why not to put the
responsibilities in the hands of the suid program authors.  They anyway
wake up every night due to a nightmare telling them to check this and
that and - oh - I am using a library I didn't checked for 2 releases;
lets set 2 years aside for another full audit of my entire program.
Adding two lines of code right at startup shouldn't make their headaches
worse.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.