On 2012-02-17, intrigeri <intrigeri@???> wrote:
> But there are not the only GnuPG usecases; I have in mind another kind
> of usecase, that is:
>
> "I don't use asymmetric encryption and I have no private keyring;
> hence, my high-value target is elsewhere; however, I use GnuPG to
> validate signatures on big piles of untrusted data, e.g. Tails ISO
> images or Release.gpg files from the nearest Debian/Ubuntu mirror
> (doesn't last one run as root, by the way?)."
>
> In a setup like this, I see *some* benefit in trying to protect the
> surrounding system from a compromised GnuPG process. Makes sense?
If an attacker can run arbitrary code in an unconfined GPG process run
as root to verify Release.gpg files, the attacker can run arbitrary
code as root.
If an attacker can run arbitrary code in a fully sandboxed GPG process
run as root to verify Release.gpg files, the attacker can falsely
claim that the signature is valid, thereby causing apt to trust a
malicious Release file, thereby causing apt to download a malicious
update package, thereby running arbitrary code as root.
GPG is a program too critical to be allowed to have bugs. Sandboxing
it is a complete waste of time.
Robert Ransom
