[pkg-gnupg-maint] Bug#835629: gnupg2: “unsafe ownership” is based on uid instead of euid
Valentin Lorentz
progval at progval.net
Sat Aug 27 18:25:50 UTC 2016
Package: gnupg2
Version: 2.1.11-7
When running gnupg2 from an executable with a SUID, gnupg2 wrongly warns
about “unsafe ownership on homedir”.
Here is how to reproduce the bug:
val at particle:/tmp $ cat foo.c
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
void main(int argc, char* argv[]) {
system("gpg2 --list-secret-keys --homedir=/home/dev-misc/.gnupg");
}
val at particle:/tmp $ sudo gcc foo.c && sudo chown dev-misc:dev-misc
a.out && sudo chmod u+s a.out
val at particle:/tmp $ LANG=C ./a.out
gpg: WARNING: unsafe ownership on homedir '/home/dev-misc/.gnupg'
gpg: keybox '/home/dev-misc/.gnupg/pubring.kbx' created
val at particle:/tmp $ sudo ls -la /home/dev-misc/ | grep gnupg
drwx------ 2 dev-misc dev-misc 4096 août 27 20:22 .gnupg
Best regards,
Valentin
More information about the pkg-gnupg-maint
mailing list