Agent socket security
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sun May 11 15:58:50 CEST 2014
On 05/11/2014 06:01 AM, Nicholas Cole wrote:
> This is a question that comes out of my own ignorance, but what stops one
> user on a system maliciously connecting to another user's gpg-agent, and is
> this mechanism secure on all platforms?
there are at least two mechanisms that can be used: filesystem
permissions, and socket peer credentials (e.g.SO_PEERCRED). All
unix-style systems will support filesystem permissions. Not all unix
systems support socket peer credentials.
here's how filesystem permissions work: the directory that the socket
lives in is unreadable and unwritable and untraversable by anyone but
the owner. this protects access to the socket.
for example:
0 dkg at alice:~$ cat .gnupg/gpg-agent-info
GPG_AGENT_INFO=/tmp/gpg-gXXXXX/S.gpg-agent:6869:1; export GPG_AGENT_INFO;
0 dkg at alice:~$ ls -la /tmp/gpg-XXXXX/
total 0
drwx------ 2 dkg dkg 60 May 10 13:19 .
drwxrwxrwt 9 root root 260 May 11 10:45 ..
srwxr-xr-x 1 dkg dkg 0 May 10 13:19 S.gpg-agent
0 dkg at alice:~$
socket peer credentials are derived from the socket by libassuan, which
abstracts away the several different forms of socket peer credentials
that different OSes use (see src/assuan-socket-server.c from
git://git.gnupg.org/libassuan.git).
In the master branch, dirmngr appears to use assuan's report of the
socket's peer credentials. From a quick scan of the source, I don't
think it is used in gnupg 2.0 or 1.4. (that is, i think they rely
strictly on the filesystem permissions; hopefully someone more
knowledgeable will correct me if i've got this wrong).
hth,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140511/85af31c9/attachment.sig>
More information about the Gnupg-devel
mailing list