[pkg-gnupg-maint] Bug#836772: Bug#836772: gnupg: unable to sign anyone's keys
Ramakrishnan Muthukrishnan
rkrishnan at debian.org
Thu Sep 8 06:36:23 UTC 2016
On Wed, Sep 7, 2016, at 04:48 PM, Daniel Kahn Gillmor wrote:
> On Tue 2016-09-06 23:50:31 +0200, Ramakrishnan Muthukrishnan wrote:
> > [dkg wrote:]
> >> chgrp $(getent passwd keyring-user | cut -f4 -d:) $(tty)
> >
> > Hmm. That command errored out with a "permission denied". But the second
> > one succeeded.
>
> sigh, sorry about that, i've been asking you to test things that i
> really should have tried myself. it appears that the devpts filesystem
> is much more limited than i expected it to be :/
No worries. I get to learn a bit in the process too and that's a nice
thing about being a Free Software user.
> >> chmod g+rw $(tty)
> >
> > As 'root', I added the keyring-user into the group 'tty' and then the
> > signing worked just fine.
>
> hm, i'm not sure that's particularly safe. it implies that keyring-user
> is able to write to any of the ttys on the system :/
Yes. As I wrote in the subsequent email, without adding keyring-user
into the group (I did a `deluser keyring-user tty' to undo the above
step), I was able to sign keys by adding just the read permission to the
`group' members of tty.
> maybe the right approach is to do something like hand over the tty as an
> file descriptor? that'd require quite a bit more plumbing upstream :/
Hmm.. Yes, that is going to be a big change, I am guessing.
> > I didn't know about exporting the extra socket. Still reading up on the
> > gpg2 and associated programs.
> >
> > I think it is perfectly fine with the setup where I can switch to
> > virtual terminal and log into the acccount.
>
> ok, i'm glad that setup works for you :) Please report back if you find
> a good configuration that lets you use gpg-agent in this isolated mode.
> I'll be at the OpenPGP.conf later this week and will try to brainstorm
> with folks there about the right way to provide this sort of isolated
> service effectively.
Thanks very much. I will update the bts if I find anything interesting.
Much appreciate your help.
--
Ramakrishnan
More information about the pkg-gnupg-maint
mailing list