On 20 January 2016 at 03:10, Daniel Kahn Gillmor <dkg@xxxxxxxxxxxxxxxxx> wrote: > On Tue 2016-01-19 19:53:41 -0500, Roland Mainz wrote: >> What about the idea of storing "valuable" data in unlinked temp files >> and |mmap()| then only on demand ? That would keep them out of the >> claws of *other* users (obviously same user can use /proc/$pid/fd/$fd >> to |open()| such files, but then the same user could just attach >> gdb/dbx and dissect the ssh/sshd/ssh_secure_storage processes and even >> inject random code) ... > > depending on the filesystem used, this could mean writing this sensitive > data to the underlying storage medium, which sounds like a worse failure > than anything this proposal would fix. > > --dkg Why? Kernel paging/swaping would do the same, and you can force that paging/swaping to a file in a trusted env and still get user data you are not supposed to obtain. That's even an old trick tiger teams used 5 years ago to demonstrate that using Linux for sensitive data storage at CEA Saclay isn't wise. Ced -- Cedric Blancher <cedric.blancher@xxxxxxxxx> Institute Pasteur _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev