[pkg-gnupg-maint] Bug#1101471: Bug#1101471: starting of agent for system accounts is inacceptable
Marc Haber
mh+debian-bugs at zugschlus.de
Sun Apr 13 14:21:43 BST 2025
On Wed, Apr 09, 2025 at 04:39:14PM -0400, Daniel Kahn Gillmor wrote:
>Marc, what does this command show for you?
>
> gpgconf --list-options gpg-agent | grep ^enable-ssh-agent:
Nothing.
>Can you see anything in the per-user journal for the system user related
>to gpg-agent? as the system user in question, can you share the output
>of this:
>
> journalctl --user-unit 'gpg-agent*'
[11/4999]mh at spinturn:~ $ journalctl --user-unit 'gpg-agent*'
Apr 12 09:36:53 spinturn systemd[1193]: Listening on gpg-agent-browser.socket - GnuPG cryptographic agent and passphrase cache (access for web browsers).
Apr 12 09:36:53 spinturn systemd[1193]: Listening on gpg-agent-extra.socket - GnuPG cryptographic agent and passphrase cache (restricted).
Apr 12 09:36:53 spinturn systemd[1193]: Starting gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation)...
Apr 12 09:36:53 spinturn systemd[1193]: Starting gpg-agent.socket - GnuPG cryptographic agent and passphrase cache...
Apr 12 09:36:53 spinturn systemd[1193]: Listening on gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Apr 12 09:36:53 spinturn systemd[1193]: Listening on gpg-agent.socket - GnuPG cryptographic agent and passphrase cache.
[12/4999]mh at spinturn:~ $
The timestamps from that roughly correlate with the last reboot of that
machine. And this is also the timestmap of the systemd unit stamp files
in /run:
$ sudo ls -al /run/user/1001/systemd/units/
total 0
drwxr-xr-x 2 mh mh 80 Apr 12 09:36 .
drwxr-xr-x 5 mh mh 140 Apr 12 09:36 ..
lrwxrwxrwx 1 mh mh 32 Apr 12 09:36 invocation:gpg-agent.socket -> c01418222288497ba5ab36a4314f6abe
lrwxrwxrwx 1 mh mh 32 Apr 12 09:36 invocation:gpg-agent-ssh.socket -> 62deedfe57c94f4eb52cccf850840512
[29/5010]mh at spinturn:~ $
It is interesting to know that "mh" logged out yesterday and logged in
today, but the gpg-agent.socket seems to stay around when the user logs
out. Is that intended behavior?
Another affected "system user in question" where I noticed the issue is
zgansible, a rather limited account, and journalctl is unwilling to
cooperate here:
[13/4999]mh at spinturn:~ $ sudo -u zgansible -i
$ journalctl --user-unit 'gpg-agent*'
Hint: You are currently not seeing messages from the system.
Users in groups 'adm', 'systemd-journal' can see all messages.
Pass -q to turn off this notice.
No journal files were opened due to insufficient permissions.
$
It looks like the unit is started once an ansible run is invoked with
this account, as:
[20/5005]mh at spinturn:~ $ sudo ls -al /run/user/2530/systemd/units
total 0
drwxr-xr-x 2 zgansible nogroup 80 Apr 13 15:16 .
drwxr-xr-x 5 zgansible nogroup 140 Apr 13 15:16 ..
lrwxrwxrwx 1 zgansible nogroup 32 Apr 13 15:16 invocation:gpg-agent.socket -> c8306e63c8d94fb7b83466a89bcb6fbd
lrwxrwxrwx 1 zgansible nogroup 32 Apr 13 15:16 invocation:gpg-agent-ssh.socket -> 911379f7cd814041bba22f208878aef4
[21/5006]mh at spinturn:~ $
and this unit seems to stay around for a while (or indefinetely?) after
the user has logged out after finishing the ansible run.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
More information about the pkg-gnupg-maint
mailing list