#! /bin/sh -e
. /usr/share/debconf/confmodule
db_version 2.0
-db_input medium catacomb-bin/pixie-is-setuid || true
+db_input low catacomb-bin/pixie-is-setuid || true
db_go || true
Template: catacomb-bin/pixie-is-setuid
Type: boolean
-Default: true
+Default: false
Description: Install pixie setuid-root?
Catacomb provides a `passphrase pixie' which prompts for passphrases
(either on its terminal or using an external command) and remembers them
for a configurable period of time.
.
For added security, the pixie can ensure that the memory it uses for
- passphrases is not swapped to disk. To do this, it must be installed
- setuid root. While the pixie has been carefully written so that this
- shouldn't be a security problem -- it allocates a small amount of memory,
- marks it as unswappable and then drops privileges immediately -- it may
- make some administrators nervous, so you have the option.
+ passphrases is not swapped to disk. Nowadays this usually just works
+ assuming that users have a sensible RLIMIT_MEMLOCK setting. Even so, it can
+ be installed setuid root just to make sure. While the pixie has been
+ carefully written so that this shouldn't be a security problem -- it
+ allocates a small amount of memory, marks it as unswappable and then drops
+ privileges immediately -- it's not really recommended any more. If in
+ doubt, say N here.
+catacomb (2.1.3) experimental; urgency=low
+
+ * Fibonacci sequence computation: mp_fibonacci function and fibonacci(1)
+ example program.
+ * Upper bounds on phrase entropy in mkphrase(1).
+ * Don't make the Pixie setuid-root by default. Make the documentation
+ less scary.
+
+ -- Mark Wooding <mdw@distorted.org.uk> Thu, 11 Apr 2013 12:06:28 +0100
+
catacomb (2.1.2.1) experimental; urgency=low
* hashsum: Document `--progress' option in `--help' output.
.\"
.SS "Memory management"
During initialization, the pixie attempts to allocate a block of memory
-from the kernel and protect it against being swapped to disk. On most
-systems, this requires that the pixie start with root privileges,
-although it will drop them as soon as it can (before parsing
-command-line options).
+from the kernel and protect it against being swapped to disk. On Linux
+and other systems with
+.B RLIMIT_MEMLOCK
+or similar, this should just work assuming that the limit is set
+sensibly. On other systems, this requires that the pixie start with
+root privileges, although it will drop them as soon as it can (before
+parsing command-line options, for example).
.PP
The locked memory is used for all of the passphrases which the pixie
stores, and for the buffers used to hold requests from clients.