tags 490545 security thanks * Russell Coker ([EMAIL PROTECTED]) wrote: > Package: gnupg-agent > Version: 2.0.0-5.2 > Severity: normal > > It is possible to ptrace (strace or gdb) the gpg-agent program. > This means that if an attacker compromises any process running on > behalf of a user (an MUA or a web browser) then they can ptrace > gpg-agent and wait for the GPG pass- phrase to be given to them. > > If gpg-agent was setgid then ptrace would not be permitted and > security would be slightly improved.
I'm not sure doing this so specifically just for gpg-agent is the right approach. Something like SELinux or capabilities or something seems more sensible. What group would be appropriate to use in any case? -- Eric Dorland <[EMAIL PROTECTED]> ICQ: #61138586, Jabber: [EMAIL PROTECTED]
signature.asc
Description: Digital signature
