(Unix)-Security-Problem on gpg-0.4.1

Werner Koch wk at isil.d.shuttle.de
Sat Oct 10 12:16:38 CEST 1998

Mario Lorenz <ml at vdazone.org> writes:

> After installing the produced RPM, gpg is is installed setuid/setgid root, and
> gpg doesnt seem to drop root group privileges. This means that all files it

It does and there is an additional check just before loading any
extension modules, to make sure setuid has been dropped. 

> Removing the setgid bit fixes the problem.
> Hence your SPEC's  should NOT "chmod +s gpg", but rather "chmod u+s gpg"

I should have better looked over the spec file, before putting it into
the dist. I apologize for this.  I changed it to u+s which is what is
needed (and on 2.1.xxx we can use capabilities instead of setuid) and
in addition commented it out ;-).

> Please note that I am not on any gpg mailing list, if you have further
> questions/comments, please cc: me.

And the list is closed, so your message will not show up their - I'll
forward it.



More information about the Gnupg-devel mailing list