(Unix)-Security-Problem on gpg-0.4.1

Werner Koch wk at isil.d.shuttle.de
Sat Oct 10 12:17:26 CEST 1998

----- Forwarded message from Mario Lorenz <ml at vdazone.org> -----

Date: Fri, 9 Oct 1998 08:23:19 +0200
From: Mario Lorenz <ml at vdazone.org>
To: gnupg-bugs at gnu.org
Subject: (Unix)-Security-Problem on gpg-0.4.1


I seem to have a little problem with gpg-0.4.1.
Reading the announcement on freshmeat, I downloaded it and built
it using the gnupg-0.4.1.spec from the scripts directory.
I run Linux-2.1.124, on a RH5.1 system, all current patches applied.

After installing the produced RPM, gpg is is installed setuid/setgid root, and
gpg doesnt seem to drop root group privileges. This means that all files it
creates (keys I created, files I signed) are owned by group 0 (root/wheel)
which is not the way it should be, IMHO.

Removing the setgid bit fixes the problem.
Hence your SPEC's  should NOT "chmod +s gpg", but rather "chmod u+s gpg"

Since your policy (as per your documentation) is not to install any setuid
bits by default, I recommend removing the chmod altogether.

Please note that I am not on any gpg mailing list, if you have further
questions/comments, please cc: me.


Mario Lorenz                            Internet:    <ml at vdazone.org>
                                        Ham Radio:   DL5MLO at OK0PKL.#BOH.CZE.EU
 "I hear that if you play the NT 4.0 CD backwards, you get a Satanic message!"
 "That's nothing. If you play it forward, it installs NT 4.0!"

----- End forwarded message -----

Koch Softwaresysteme  /  "The GNU Privacy Guard" is an OpenPGP system:
Remscheider Str. 22  /  http://www.d.shuttle.de/isil/gnupg/gnupg.html
D-40215 Düsseldorf  /
Germany            /  Fingerprint for <werner.koch at guug.de>:
+49 211 3180023   /  ecaf 7590 eb34 43b5 c7cf  3acb 6c7e e1b8 621c c013

More information about the Gnupg-devel mailing list