Merge branch 'master' of git.distorted.org.uk:~mdw/publish/public-git/catacomb

* 'master' of git.distorted.org.uk:~mdw/publish/public-git/catacomb:
  mpmul.[ch]: Move internal `HWM' and `LWM' constants to implementation.
  group.h: Fix the struct tag for `group'.

diff --git a/debian/catacomb-bin.config b/debian/catacomb-bin.config
index 49d6dbf..16b4f3b 100644 (file)
--- a/debian/catacomb-bin.config
+++ b/debian/catacomb-bin.config
@@ -1,5 +1,5 @@
 #! /bin/sh -e
 . /usr/share/debconf/confmodule
 db_version 2.0
-db_input medium catacomb-bin/pixie-is-setuid || true
+db_input low catacomb-bin/pixie-is-setuid || true
 db_go || true

diff --git a/debian/catacomb-bin.templates b/debian/catacomb-bin.templates
index d4fb741..66fd54f 100644 (file)
--- a/debian/catacomb-bin.templates
+++ b/debian/catacomb-bin.templates
@@ -1,14 +1,16 @@
 Template: catacomb-bin/pixie-is-setuid
 Type: boolean
-Default: true
+Default: false
 Description: Install pixie setuid-root?
  Catacomb provides a `passphrase pixie' which prompts for passphrases
  (either on its terminal or using an external command) and remembers them
  for a configurable period of time.
  .
  For added security, the pixie can ensure that the memory it uses for
- passphrases is not swapped to disk.  To do this, it must be installed
- setuid root.  While the pixie has been carefully written so that this
- shouldn't be a security problem -- it allocates a small amount of memory,
- marks it as unswappable and then drops privileges immediately -- it may
- make some administrators nervous, so you have the option.
+ passphrases is not swapped to disk.  Nowadays this usually just works
+ assuming that users have a sensible RLIMIT_MEMLOCK setting.  Even so, it can
+ be installed setuid root just to make sure.  While the pixie has been
+ carefully written so that this shouldn't be a security problem -- it
+ allocates a small amount of memory, marks it as unswappable and then drops
+ privileges immediately -- it's not really recommended any more.  If in
+ doubt, say N here.

diff --git a/debian/changelog b/debian/changelog
index 593ec8a..2f12b70 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+catacomb (2.1.3) experimental; urgency=low
+
+  * Fibonacci sequence computation: mp_fibonacci function and fibonacci(1)
+    example program.
+  * Upper bounds on phrase entropy in mkphrase(1).
+  * Don't make the Pixie setuid-root by default.  Make the documentation
+    less scary.
+
+ -- Mark Wooding <mdw@distorted.org.uk>  Thu, 11 Apr 2013 12:06:28 +0100
+
 catacomb (2.1.2.1) experimental; urgency=low
 
   * hashsum: Document `--progress' option in `--help' output.

diff --git a/pixie.1 b/pixie.1
index c83b013..ced4b48 100644 (file)
--- a/pixie.1
+++ b/pixie.1
@@ -125,10 +125,13 @@ Send log messages to the syslog rather than stderr.
 .\"
 .SS "Memory management"
 During initialization, the pixie attempts to allocate a block of memory
-from the kernel and protect it against being swapped to disk.  On most
-systems, this requires that the pixie start with root privileges,
-although it will drop them as soon as it can (before parsing
-command-line options).
+from the kernel and protect it against being swapped to disk.  On Linux
+and other systems with
+.B RLIMIT_MEMLOCK
+or similar, this should just work assuming that the limit is set
+sensibly.  On other systems, this requires that the pixie start with
+root privileges, although it will drop them as soon as it can (before
+parsing command-line options, for example).
 .PP
 The locked memory is used for all of the passphrases which the pixie
 stores, and for the buffers used to hold requests from clients.