Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'How to disable virtual memory / swap files' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
How to disable virtual memory / swap files
Authored by: Auricchio on Aug 12, '04 01:02:29PM

Turning off swap, as others have suggested, is such an extreme move as to be dangerous. The system will eventually die a sudden and perhaps horrible death.

Using "srm" instead of "rm" in the rc file makes the most sense, as suggested above. The swap files will be securely deleted.

As for physical access and security, this has always been known. If someone has physical access to a computer, they can gain access. This is why the military developed the Tempest enclosure; it prevents physical access to all but the keyboard and mouse.

---
EMOJO: mojo no longer workin'



[ Reply to This | # ]
Tempest is for NON-physical access
Authored by: dhrakar on Aug 12, '04 02:15:48PM

Almost :-)

Tempest-rated enclosures are designed to keep out non-physical access to your system. That is, they prevent someone from being able to intercept the RF signals put out by your system by having really tight sheilding. The reason that this is a problem is that sophisticated snoopers can 'see' what you are doing on your system by analyzing the RF it puts out.

As far as the military is concerned, keeping a handle on physical access is what twitchy 18yr olds with M16s are for :-)



[ Reply to This | # ]
horrible death... :) and security for all!
Authored by: hard-mac on Aug 12, '04 07:59:39PM

Your system will not die a horrible death.

I have tested using No vm swap on numerous systems for several weeks now. At worst you may get a beach ball when you try and open many many things at once.... It depends on how much RAM your machine has.

As I said in the above hint this is for people who require more security than the current level of OSX default installation. For those who can not tolerate the fact that their Login and FileVault and Keychain passwords re there for the easy pickings to anyone that can has physical access to there machine or who roots it through a remote exploit!

Cheers,
Thomas

---
-------------------------------------
Hardening Your Macintosh
http://members.lycos.co.uk/hardapple/



[ Reply to This | # ]
horrible death... :) and security for all!
Authored by: GaelicWizard on Aug 12, '04 11:51:53PM

Your fantasy of security is slightly off centre.

"at worse" you system will die. If the window server cannot malloc memory, then it will freeze. Once it has froze, you can ssh in and start killing things to free memory, but then you lose unsaved work. If you can't free enough to un-freeze the window server, then its dead.

If someone roots your machine through some yet-to-be-discovered remote exploit that you have left on your machine even after a patch is released (which would happen within days), then they have access to the kernel and can grab passwords from memory, forget the swap file.

If someone has root, then you're screwed. If your fantasy of keeping passwords off disk makes you feel special, then by all means go for it, it will only prevent you from working efficiently. Recommending that others do it is irresponsible.

I have tried the grepping for password trick and it is particularly disturbing that my password showed up a dozen times, since then I have made sure that my login password and the root (if you make the mistake to enable root) password are different from all my other passwords and have discovered that I am unable to find my password in memory. I do not know if this is sufficient proof that this "hole" is not as bad as you pretend, but it is does mean that there is almost no way for someone to crack my passwords, assuming that they can somehow get root to see my swap files anyway.

Of course, it is ridiculously easy to extract passwords from /etc/passwd, netinfo, and even panther's shadow-hash, if you have root. Go check out John the Ripper, it might bother you sufficiently to go delete your hard drive to make sure your passwords are safe.

JP

---
Pell



[ Reply to This | # ]