From 5d01b1b9514a258c5a3c201e944f676cb2c467f0 Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Thu, 11 Apr 2013 12:02:21 +0100 Subject: [PATCH] The pixie no longer needs to be setuid-root. So turn off the option by default, and downgrade the question. Also make the documentation more useful and up-to-date. --- debian/catacomb-bin.config | 2 +- debian/catacomb-bin.templates | 14 ++++++++------ pixie.1 | 11 +++++++---- 3 files changed, 16 insertions(+), 11 deletions(-) diff --git a/debian/catacomb-bin.config b/debian/catacomb-bin.config index 49d6dbf..16b4f3b 100644 --- a/debian/catacomb-bin.config +++ b/debian/catacomb-bin.config @@ -1,5 +1,5 @@ #! /bin/sh -e . /usr/share/debconf/confmodule db_version 2.0 -db_input medium catacomb-bin/pixie-is-setuid || true +db_input low catacomb-bin/pixie-is-setuid || true db_go || true diff --git a/debian/catacomb-bin.templates b/debian/catacomb-bin.templates index d4fb741..66fd54f 100644 --- a/debian/catacomb-bin.templates +++ b/debian/catacomb-bin.templates @@ -1,14 +1,16 @@ Template: catacomb-bin/pixie-is-setuid Type: boolean -Default: true +Default: false Description: Install pixie setuid-root? Catacomb provides a `passphrase pixie' which prompts for passphrases (either on its terminal or using an external command) and remembers them for a configurable period of time. . For added security, the pixie can ensure that the memory it uses for - passphrases is not swapped to disk. To do this, it must be installed - setuid root. While the pixie has been carefully written so that this - shouldn't be a security problem -- it allocates a small amount of memory, - marks it as unswappable and then drops privileges immediately -- it may - make some administrators nervous, so you have the option. + passphrases is not swapped to disk. Nowadays this usually just works + assuming that users have a sensible RLIMIT_MEMLOCK setting. Even so, it can + be installed setuid root just to make sure. While the pixie has been + carefully written so that this shouldn't be a security problem -- it + allocates a small amount of memory, marks it as unswappable and then drops + privileges immediately -- it's not really recommended any more. If in + doubt, say N here. diff --git a/pixie.1 b/pixie.1 index c83b013..ced4b48 100644 --- a/pixie.1 +++ b/pixie.1 @@ -125,10 +125,13 @@ Send log messages to the syslog rather than stderr. .\" .SS "Memory management" During initialization, the pixie attempts to allocate a block of memory -from the kernel and protect it against being swapped to disk. On most -systems, this requires that the pixie start with root privileges, -although it will drop them as soon as it can (before parsing -command-line options). +from the kernel and protect it against being swapped to disk. On Linux +and other systems with +.B RLIMIT_MEMLOCK +or similar, this should just work assuming that the limit is set +sensibly. On other systems, this requires that the pixie start with +root privileges, although it will drop them as soon as it can (before +parsing command-line options, for example). .PP The locked memory is used for all of the passphrases which the pixie stores, and for the buffers used to hold requests from clients. -- 2.11.0