Template: catacomb-bin/pixie-is-setuid
Type: boolean
-Default: true
+Default: false
Description: Install pixie setuid-root?
Catacomb provides a `passphrase pixie' which prompts for passphrases
(either on its terminal or using an external command) and remembers them
for a configurable period of time.
.
For added security, the pixie can ensure that the memory it uses for
- passphrases is not swapped to disk. To do this, it must be installed
- setuid root. While the pixie has been carefully written so that this
- shouldn't be a security problem -- it allocates a small amount of memory,
- marks it as unswappable and then drops privileges immediately -- it may
- make some administrators nervous, so you have the option.
+ passphrases is not swapped to disk. Nowadays this usually just works
+ assuming that users have a sensible RLIMIT_MEMLOCK setting. Even so, it can
+ be installed setuid root just to make sure. While the pixie has been
+ carefully written so that this shouldn't be a security problem -- it
+ allocates a small amount of memory, marks it as unswappable and then drops
+ privileges immediately -- it's not really recommended any more. If in
+ doubt, say N here.