dirmngr: restricting access to socket, why? Debian Default

Bernhard Reiter bernhard at intevation.de
Fri Jan 7 13:02:45 CET 2011


Hi Peter, Hi Werner,
the current revisions of dirmngr in Debian restricts access to the 
system service to users in gid "dirmngr" (e.g. 1.0.3-1 or 1.1.0-0kk1 [1]).

Is there a reason to do so?
The result of the default is that regular users cannot use this system service 
and they should be able to do this, in my view. Or do you know a reason why 
they should not that I have missed?

This could be a missunderstanding, because:
http://gnupg.org/documentation/manuals/dirmngr/Installation.html#Installation
says:
   /var/run/dirmngr
  This directory keeps the socket file for accsing dirmngr services. The name 
  of the socket file will be socket. Make sure that this directory has the 
  proper permissions to let dirmngr create the socket file and that eligible 
  users may read and write to that socket.

I guess Werner or Marcus mentioned that so that enough access is granted,
not restricted.

So I suggest to change the default in
cat /etc/default/dirmngr
  # Defaults for dirmngr init script
  # sourced by /etc/init.d/dirmngr

  # This variable contols the access mode of the dirmngr socket.  Set it
  # to 0770 to allow only users in the "dirmngr" group to access the
  # socket and thus use the daemon.  Set it to 0777 to allow everyone to
  # use the daemon.  The default is 0770.
  DIRMNGR_SOCKET_MODE=0770
to 0777. :)

Peter, an extra thank you for maintaining Debian packages!
Note that 1.1.0 is out and that afterwards dirmngrs will come with the gnupg 
2.1 sources. Let me know if I should created Debian reports for this or not.

Best Regards,
Bernhard

[1] packages by us for Lenny. There is already 1.1.0 available.
http://files.kolab.org/apt/releases/dists/lenny/experimental/source/

-- 
Managing Director - Owner: www.intevation.net       (Free Software Company)
Deputy Coordinator Germany: fsfe.org. Board member: www.kolabsys.com.
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20110107/19ddada9/attachment.pgp>


More information about the Gnupg-devel mailing list