[FAQ] - PGP 8.0 Keychain vulnerability on Mac OS X

[michaelsanford]

http://www.pgp.com/products/macintosh/

This applies to PGP 8.0 for Mac OS X 10.2.x; perhaps this issue will be resolved in future relases (I've brought it to the attention of PGP staff) but for the moment, you should verify this yourself.

The default installation of PGP 8.0 will make the following folder with the following properties to store your keychains (public and private):
drwxr-xr-x ~/Documents/PGP/

As you can see, this is terribly dangerous. Any FTP or shell account user who is improperly chroot()ed will have complete access to your private keychain, and can read or replace it at will.

To solve this issue:

Code:

[amras:~]% cd ~/Documents
[amras:~/Documents]% mv PGP ~/Library/
[amras:~/Documents]% cd ~/Library
[amras:~/Library]% chmod og-rx PGP
[amras:~/Library]% ls -la | grep PGP
drwx------    5 amras  staff     170 Mar 29 16:49 PGP

[amras:~/Library]% chmod og-rx PGP/*
[amras:~/Library]% ls -la PGP
-rw-------   1 amras  staff  1306 Mar 29 16:52 PGP Private Keyring.skr
-rw-------   1 amras  staff  1178 Mar 29 16:52 PGP Public Keyring.pkr

This will secure your keyring folder twofold: it will no logner be in the default location, and the folder and keyrings will be readable only by your user. Just remember to change your keyring folder in PGPkeys...

Of course the most secure way to store your keychain is to move them to removeable media (like a flash drive or a CD-R), and keep the media in a safe.

[michaelsanford]

I've been in contact with PGP and they say they have no plans to modify the installer to set more secure privileges.