[pkg-gnupg-maint] Beware of leftover gpg-agent processes

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Aug 5 18:43:30 UTC 2016 

On Fri 2016-08-05 14:17:23 -0400, Stefano Zacchiroli wrote:
> On Fri, Aug 05, 2016 at 12:41:18PM -0400, Daniel Kahn Gillmor wrote:
>> On desktop systems (where i'd expect the majority of secret key access
>> happens), for folks who are running systemd, i recommend enabling the
>> systemd user services, as documented in
>> /usr/share/doc/{gnupg-agent,dirmngr}/README.Debian :
>> 
>>   systemctl --user enable gpg-agent
>>   systemctl --user enable dirmngr
>
> Thanks for the tip. Do you know if this is needed also for GNOME (or
> other FreeDesktop) session users? Within GNOME, on Debian testing, I see
> that my running gpg-agent process is already a directly child of systemd
> (PID 1), but I'm not sure if that's because it has been started by it,
> or rather because the GPG process who originally spawned it is now gone.

gpg-agent and dirmngr "background" themselves, so they'll always have
ppid 1.

that said, under systemd, they'll be grouped into control groups on the
basis of how/where they were launched.

The simplest way to see the control group hierarchy is with "systemctl
status".  When these processes are launched by the user service, they'll
end up in the user at NNNN.service like this:

           └─user.slice
             ├─user-1000.slice
             │ ├─session-1.scope
             │ │ ├─ 2884 /usr/bin/rxvt
             │ │ ├─32603 less
                […]
             │ │ ├─32605 rxvt -geometry 80x26
             │ │ └─32606 bash
             │ └─user at 1000.service
             │   ├─gpg-agent.service
             │   │ ├─ 2804 /usr/bin/gpg-agent --daemon --homedir /home/dkg/.gnupg
             │   │ └─23655 scdaemon --multi-server
             │   ├─dirmngr.service
             │   │ └─2805 /usr/bin/dirmngr --daemon --homedir /home/dkg/.gnupg
                […]

If they've been autolaunched, they'll end up in the sesion-X.scope
sub-tree.

> FWIW gpg-agent/dirmngr are currently _not_ marked as enabled in my user
> session, I've checked with (systemctl --user status).

right, they're not enabled by default yet.  see
https://bugs.debian.org/764678.

> Thanks a lot for your work on GPG dkg, I'm really thrilled to see gpg2
> becoming the default!

thanks!

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20160805/b00641e2/attachment-0001.sig>

More information about the pkg-gnupg-maint mailing list