[pkg-gnupg-maint] Bug#1078787: gpg-agent-ssh.socket ignores enable-ssh-support, stomps on SSH_AUTH_SOCK from ssh-agent.service

Richard Hansen rhansen at rhansen.org
Thu Sep 12 23:35:13 BST 2024 

On 2024-08-17 08:18:47-04:00, Andreas Metzler wrote:
> On 2024-08-16 Richard Hansen <rhansen at rhansen.org> wrote:
>> On 8/16/24 05:55, Andreas Metzler wrote:
>>> I think I will revert
>>> https://salsa.debian.org/debian/gnupg2/-/commit/2ed898c22475d25dbc874b9cdc82063c31c4e603
> 
>> That would work, although I wonder:  If the user has enable-ssh-support in 
>> their ~/.gnupg/gpg-agent.conf and disables the gpg-agent-ssh.socket unit 
>> file, wouldn't that environment generator still set SSH_AUTH_SOCK? Wouldn't 
>> it be better to never set SSH_AUTH_SOCK if gpg-agent-ssh.socket is disabled?
> 
> Hello,
> 
> hm, afaict systemd does not offer dependencies between 
> environment-generators and units

That is my understanding as well.

> (otherwise afaict BindsTo with After would do the trick).

Yeah, that would be nice.

> 
> One could document that changing/enabling the unit also might require 
> changes to the generator.

Users are unlikely to see that documentation until after they have 
already wasted time troubleshooting, and changing a generator is not as 
easy as disabling a unit, so I'd prefer to find a friendlier solution.

Perhaps the environment generator could check to see if the unit is 
enabled?  I don't know how difficult it would be to make that check 
robust.  It's probably easier to just do the ExecStartPost command.

> 
> BTW two questions:
> Is it necessary to use
> ExecStartPost=sh -c '[ -z "$$(gpgconf --list-options gpg-agent | awk -F: \'/^enable-ssh-support:/{print$$10}\')" ] || systemctl --user set-environment "$$@"' - "SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh"
> 
> instead of the simpler
> ExecStartPost=sh -c '[ -z "$$(gpgconf --list-options gpg-agent | awk -F: \'/^enable-ssh-support:/{print$$10}\')" ] || systemctl --user set-environment "SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh"'

It is only necessary if %t might expand to something containing shell 
meta characters such as double quotes, dollar sign, or backslash.  It's 
easier to conservatively quote than to figure out if malicious code 
could possibly inject something into %t ($XDG_RUNTIME_DIR).

> 
> I could not find whether single quotes in systemd files prevent % (or 
> even $)-expansion, perhaps you can help me. - TIA

 From my understanding of systemd.syntax(7), there is no difference in 
behavior between a pair of double quotes and a pair of single quotes 
(other than how easy it is to embed single/double quotes inside, of course).

> 
> The generator checked the "okay" field in 'gpgconf --check-options 
> gpg-agent'. I guess you left that out in the socket file because the 
> ExecStartPost command will only run if the agent started successfully.

Correct.

Thanks,
Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20240912/3c01de29/attachment.sig>

More information about the pkg-gnupg-maint mailing list