Project

General

Profile

Actions

Bug #14318

open

gpg: Warning: using insecure memory!

Added by Predrag Zečević 27 days ago. Updated 24 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:

Description

Hi,

:; gpg --list-secret-keys
gpg: error reading symlink '/proc/curproc/file': No such file or directory
gpg: Warning: using insecure memory!
/export/home/predrag_zecevic/.gnupg/pubring.kbx
...

This looks like it uses linux /proc...

:; truss -f gpg --list-secret-keys                                                                                        [460/12441]
5348:   execve("/usr/bin/gpg2", 0x7FFFBFFFF088, 0x7FFFBFFFF0A0)  argc = 2
5348:   sysinfo(SI_MACHINE, "i86pc", 257)               = 6
5348:   mmap(0x00000000, 56, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, 4294967295, 0) = 0x7FFFAF580000
5348:   mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, 4294967295, 0) = 0x7FFFAF570000
5348:   mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, 4294967295, 0) = 0x7FFFAF560000
5348:   mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, 4294967295, 0) = 0x7FFFAF550000
5348:   memcntl(0x7FFFAF596000, 102520, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
5348:   mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, 4294967295, 0) = 0x7FFFAF540000
5348:   memcntl(0x00400000, 201632, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
5348:   resolvepath("/usr/lib/amd64/ld.so.1", "/lib/amd64/ld.so.1", 1023) = 18
5348:   resolvepath("/usr/bin/gpg2", "/usr/bin/gpg2", 1023) = 13
5348:   stat("/usr/bin/gpg2", 0x7FFFBFFFECC0)           = 0
5348:   open("/var/ld/64/ld.config", O_RDONLY)          = 3
5348:   fstat(3, 0x7FFFBFFFE700)                        = 0
5348:   mmap(0x00000000, 124, PROT_READ, MAP_SHARED, 3, 0) = 0x7FFFAF530000
5348:   close(3)                                        = 0
5348:   stat("/usr/gcc/7/lib/amd64/libc.so.1", 0x7FFFBFFFE090) Err#2 ENOENT
5348:   stat("/lib/64/libc.so.1", 0x7FFFBFFFE090)       = 0
5348:   resolvepath("/lib/64/libc.so.1", "/lib/amd64/libc.so.1", 1023) = 20
5348:   open("/lib/64/libc.so.1", O_RDONLY)             = 3
5348:   mmapobj(3, MMOBJ_INTERPRET, 0x7FFFAF540DE0, 0x7FFFBFFFDFEC, 0x00000000) = 0
5348:   close(3)                                        = 0
5348:   mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, 4294967295, 0) = 0x7FFFAF520000
5348:   memcntl(0x7FFFAF2C0000, 496480, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
5348:   stat("/usr/gcc/7/lib/amd64/libreadline.so.6", 0x7FFFBFFFDBC0) Err#2 ENOENT
5348:   stat("/lib/64/libreadline.so.6", 0x7FFFBFFFDBC0) Err#2 ENOENT
5348:   stat("/usr/lib/64/libreadline.so.6", 0x7FFFBFFFDBC0) = 0
5348:   resolvepath("/usr/lib/64/libreadline.so.6", "/usr/lib/amd64/libreadline.so.6", 1023) = 31
5348:   open("/usr/lib/64/libreadline.so.6", O_RDONLY)  = 3
5348:   mmapobj(3, MMOBJ_INTERPRET, 0x7FFFAF550C50, 0x7FFFBFFFDB1C, 0x00000000) = 0
5348:   close(3)                                        = 0
5348:   mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, 4294967295, 0) = 0x7FFFAF510000
5348:   memcntl(0x7FFFA4E40000, 121440, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
5348:   mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, 4294967295, 0) = 0x7FFFAF500000
5348:   mmap(0x00010000, 24576, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON|MAP_ALIGN, -1, 0) = 0x7FFFAF4F0000
5348:   getcontext(0x7FFFBFFFE7F0)
5348:   getrlimit(RLIMIT_STACK, 0x7FFFBFFFE7E0)         = 0
5348:   getpid()                                        = 5348 [5347]
5348:   lwp_private(0, 0, 0x7FFFAF4F2A40)               = 0x00000000
5348:   getrandom("831C\bC8EF0284AA", 8, 0)             = 8
5348:   setustack(0x7FFFAF4F2AE8)
5348:   setustack(0x7FFFAF4F2AE8)
5348:   lwp_cond_broadcast(0x7FFFAF5101A8)              = 0
5348:   lwp_cond_broadcast(0x7FFFAF5201A8)              = 0
5348:   lwp_cond_broadcast(0x7FFFAF5401A8)              = 0
5348:   sysi86(SI86FPSTART, 0x7FFFBFFFF02C, 0x0000133F, 0x00001F80) = 0x00000001
5348:   fcntl(0, F_GETFD, 0x7FFFBFFFF0A0)               = 0
5348:   fcntl(1, F_GETFD, 0xFFFFFE176C73C860)           = 0
5348:   fcntl(2, F_GETFD, 0xFFFFFE176C73C860)           = 0
5348:   stat("/usr/gcc/7/lib/amd64/libgpg-error.so.0", 0x7FFFBFFFD980) Err#2 ENOENT
5348:   stat("/lib/64/libgpg-error.so.0", 0x7FFFBFFFD980) Err#2 ENOENT
5348:   stat("/usr/lib/64/libgpg-error.so.0", 0x7FFFBFFFD980) = 0
5348:   resolvepath("/usr/lib/64/libgpg-error.so.0", "/usr/lib/amd64/libgpg-error.so.0.32.0", 1023) = 37
5348:   open("/usr/lib/64/libgpg-error.so.0", O_RDONLY) = 3
5348:   mmapobj(3, MMOBJ_INTERPRET, 0x7FFFAF500250, 0x7FFFBFFFD8DC, 0x00000000) = 0
5348:   close(3)                                        = 0
5348:   memcntl(0x7FFFA44B0000, 49680, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
5348:   brk(0x00000000)                                 = 5625160
5348:   brk(0x0055D550)                                 = 0
5348:   brk(0x00561550)                                 = 0
5348:   brk(0x00561550)                                 = 0
5348:   brk(0x00565550)                                 = 0
5348:   lwp_cond_broadcast(0x7FFFAF500578)              = 0
5348:   stat("/usr/gcc/7/lib/amd64/libgcrypt.so.20", 0x7FFFBFFFD980) Err#2 ENOENT
5348:   stat("/lib/64/libgcrypt.so.20", 0x7FFFBFFFD980) Err#2 ENOENT
5348:   stat("/usr/lib/64/libgcrypt.so.20", 0x7FFFBFFFD980) = 0
5348:   resolvepath("/usr/lib/64/libgcrypt.so.20", "/usr/lib/amd64/libgcrypt.so.20.3.4", 1023) = 34
5348:   open("/usr/lib/64/libgcrypt.so.20", O_RDONLY)   = 3
5348:   mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, 4294967295, 0) = 0x7FFFAF4E0000
5348:   mmapobj(3, MMOBJ_INTERPRET, 0x7FFFAF4E0030, 0x7FFFBFFFD8DC, 0x00000000) = 0
5348:   close(3)                                        = 0
5348:   memcntl(0x7FFFA5040000, 182200, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
5348:   lwp_cond_broadcast(0x7FFFAF4E0358)              = 0
5348:   sysconfig(_CONFIG_PAGESIZE)                     = 4096
5348:   schedctl()                                      = 0x7FFFAF4D3000
5348:   priocntlsys(1, 0x7FFFBFFFE760, 3, 0x7FFFBFFFE960, 0) = 5348
5348:   priocntlsys(1, 0x7FFFBFFFE6C0, 1, 0x7FFFBFFFE880, 0) = 5
5348:   priocntlsys(1, 0x7FFFBFFFE650, 0, 0x7FFFAF457B48, 0) = 5
5348:   mmap(0x00000000, 131072, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, 4294967295, 0) = 0x7FFFAF4B2000
5348:   mmap(0x00000000, 65536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, 4294967295, 0) = 0x7FFFAF4A0000
5348:   sigaction(SIGCANCEL, 0x7FFFBFFFE520, 0x00000000) = 0
5348:   sysconfig(_CONFIG_STACK_PROT)                   = 3
5348:   mmap(0x00000000, 2088960, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, 4294967295, 0) = 0x7FFFAF0C1000
5348:   mmap(0x00010000, 65536, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON|MAP_ALIGN, 4294967295, 0) = 0x7FFFAF480000
5348:   uucopy(0x7FFFBFFFE4E0, 0x7FFFAF2BEFE8, 24)      = 0
5348:   lwp_create(0x7FFFBFFFE5F0, LWP_SUSPENDED, 0x7FFFBFFFE5EC) = 2
5348/2:         lwp_create()    (returning as new lwp ...)      = 0
5348/1:         lwp_continue(2)                                 = 0
5348/2:         setustack(0x7FFFAF4802E8)
5348/2:         schedctl()                                      = 0x7FFFAF4D3010
5348/2:         lwp_sigmask(SIG_SETMASK, 0xFFBFFEFF, 0xFFFFFFF7, 0x000001FF, 0x00000000) = 0xFFBFFEFF [0xFFFFFFFF]
5348/2:         open("/usr/lib/locale/en_US.UTF-8/LC_MESSAGES/SUNW_OST_SGS.mo", O_RDONLY) Err#2 ENOENT
5348/2:         mmap(0x00010000, 65536, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON|MAP_ALIGN, 4294967295, 0) = 0x7FFFAF0B0000
5348/2:         lwp_exit()
5348:   lwp_wait(2, 0x7FFFBFFFE9BC)                     = 0
5348:   open("/usr/lib/locale//en_US.UTF-8/LC_CTYPE/LCL_DATA", O_RDONLY) = 3
5348:   fstat(3, 0x7FFFBFFFE4E0)                        = 0
5348:   mmap(0x00000000, 48860, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7FFFAF0A0000
5348:   close(3)                                        = 0
5348:   mmap(0x00010000, 131072, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON|MAP_ALIGN, 4294967295, 0) = 0x7FFFAF070000
5348:   munmap(0x7FFFAF0A0000, 48860)                   = 0
5348:   open("/usr/lib/locale//de_DE.UTF-8/LC_NUMERIC/LCL_DATA", O_RDONLY) = 3
5348:   fstat(3, 0x7FFFBFFFE4E0)                        = 0
5348:   read(3, " ,\n .\n 3\n", 6)                      = 6
5348:   close(3)                                        = 0
5348:   open("/usr/lib/locale//en_US.UTF-8/LC_COLLATE/LCL_DATA", O_RDONLY) = 3
5348:   fstat(3, 0x7FFFBFFFE550)                        = 0
5348:   mmap(0x00000000, 79460, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7FFFAF09B000
5348:   close(3)                                        = 0
5348:   open("/usr/lib/locale//de_DE.UTF-8/LC_MONETARY/LCL_DATA", O_RDONLY) = 3
5348:   fstat(3, 0x7FFFBFFFE4D0)                        = 0
5348:   read(3, " E U R  \nE282AC\n ,\n .".., 46)       = 46
5348:   close(3)                                        = 0
5348:   open("/usr/lib/locale//en_US.UTF-8/LC_MESSAGES/LCL_DATA", O_RDONLY) = 3
5348:   fstat(3, 0x7FFFBFFFE4E0)                        = 0
5348:   read(3, " ^ ( ( [ y Y ] ( [ e E ]".., 59)       = 59
5348:   close(3)                                        = 0
5348:   readlink("/proc/curproc/file", 0x00561D90, 255) Err#2 ENOENT
5348:   open("/usr/lib/locale/en_US.UTF-8/LC_MESSAGES/SUNW_OST_OSLIB.mo", O_RDONLY) Err#2 ENOENT
5348:   brk(0x00565550)                                 = 0
5348:   brk(0x00569550)                                 = 0
gpg: error reading symlink '/proc/curproc/file': No such file or directory5348: write(2, " g p g :   e r r o r   r".., 74)      = 74

5348:   write(2, "\n", 1)                               = 1
5348:   access("/etc/gcrypt/fips_enabled", F_OK)        Err#2 ENOENT
5348:   open("/proc/sys/crypto/fips_enabled", O_RDONLY) Err#2 ENOENT
5348:   open("/etc/gcrypt/hwf.deny", O_RDONLY)          Err#2 ENOENT
5348:   lseek(0, 0, SEEK_CUR)                           = 2019075
5348:   getrlimit(RLIMIT_CORE, 0x7FFFBFFFEBA0)          = 0
5348:   setrlimit(RLIMIT_CORE, 0x7FFFBFFFEBA0)          = 0
5348:   sigaction(SIGINT, 0x00000000, 0x7FFFBFFFEB70)   = 0
5348:   sigaction(SIGINT, 0x7FFFBFFFEAF0, 0x00000000)   = 0
5348:   sigaction(SIGHUP, 0x00000000, 0x7FFFBFFFEB70)   = 0
5348:   sigaction(SIGHUP, 0x7FFFBFFFEAF0, 0x00000000)   = 0
5348:   sigaction(SIGTERM, 0x00000000, 0x7FFFBFFFEB70)  = 0
5348:   sigaction(SIGTERM, 0x7FFFBFFFEAF0, 0x00000000)  = 0
5348:   sigaction(SIGQUIT, 0x00000000, 0x7FFFBFFFEB70)  = 0
5348:   sigaction(SIGQUIT, 0x7FFFBFFFEAF0, 0x00000000)  = 0
5348:   sigaction(SIGSEGV, 0x00000000, 0x7FFFBFFFEB70)  = 0
5348:   sigaction(SIGSEGV, 0x7FFFBFFFEAF0, 0x00000000)  = 0
5348:   sigaction(SIGUSR1, 0x7FFFBFFFEAF0, 0x00000000)  = 0
5348:   sigaction(SIGPIPE, 0x7FFFBFFFEAF0, 0x00000000)  = 0
5348:   brk(0x00569550)                                 = 0
5348:   brk(0x0056D550)                                 = 0
5348:   mmap(0x00000000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, 4294967295, 0) = 0x7FFFAF060000
5348:   getuid()                                        = 2903 [2903]
5348:   memcntl(0x7FFFAF060000, 32768, MC_LOCK, 0, 0, 0) Err#1 EPERM [proc_lock_memory]
5348:   getuid()                                        = 2903 [2903]
5348:   stat("/usr/gcc/7/lib/amd64/libassuan.so.0", 0x7FFFBFFFD980) Err#2 ENOENT
5348:   stat("/lib/64/libassuan.so.0", 0x7FFFBFFFD980)  Err#2 ENOENT
5348:   stat("/usr/lib/64/libassuan.so.0", 0x7FFFBFFFD980) = 0
5348:   resolvepath("/usr/lib/64/libassuan.so.0", "/usr/lib/amd64/libassuan.so.0.8.5", 1023) = 33
5348:   open("/usr/lib/64/libassuan.so.0", O_RDONLY)    = 3
5348:   mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, 4294967295, 0) = 0x7FFFAF050000
5348:   mmapobj(3, MMOBJ_INTERPRET, 0x7FFFAF050030, 0x7FFFBFFFD8DC, 0x00000000) = 0
5348:   close(3)                                        = 0
5348:   memcntl(0x7FFFA4480000, 32184, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
5348:   lwp_cond_broadcast(0x7FFFAF050358)              = 0
5348:   stat("/export/home/predrag_zecevic/.gnupg", 0x7FFFBFFFED60) = 0
...

I wonder if this has consequences, or it is SNAFU on openindiana platform?

:; gpg --version
gpg: error reading symlink '/proc/curproc/file': No such file or directory
gpg (GnuPG) 2.3.3
libgcrypt 1.9.4
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /export/home/predrag_zecevic/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
AEAD: EAX, OCB
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

PLease, advice.
With best regards.

Actions #1

Updated by Andy Fiddaman 26 days ago

The /proc part was reported upstream at https://dev.gnupg.org/T5671 and should be fixed in gnupg 2.3.4.

The insecure memory warning is because gnupg cannot lock the memory on illumos when it is not running as root (and possibly needs to be in the GZ too). It should be possible to set gnupg setuid and limit its privileges using RBAC so it is able to lock the memory, but that would need to carefully assessed. You could also add this to your ~/.gnupg/gpg.conf

```
no-secmem-warning
```

Actions #2

Updated by Andreas Wacknitz 25 days ago

:; gpg --list-secret-keys
gpg: error reading symlink '/proc/curproc/file': No such file or directory
gpg: Warning: using insecure memory!

What version of gnupg did you use and how did you install it? We don't have a "gpg" application. Our main gnupg executable is named gpg2.
The first part of the problem has already been fixed upstream as Andy Fiddaman noted and that has been integrated into OI recently by updating gnupg to 2.3.4.
I am still working on a solution for the insecure memory problem. I have been trying to make use of the privilege proc_lock_memory but that doesn't work yet.

Actions #3

Updated by Predrag Zečević 24 days ago

Hi,
it is sym-link

:; ls -al /usr/local/bin/gpg
lrwxrwxrwx 1 root root 13 May 11  2016 /usr/local/bin/gpg -> /usr/bin/gpg2

It was:
:; gpg --version | head -1
gpg (GnuPG) 2.3.3

Now, I have upgrade it to 2.3.4 and I saw fix for this: https://github.com/OpenIndiana/oi-userland/pull/7432

Thanks

Actions

Also available in: Atom PDF