Agent socket security

Daniel Kahn Gillmor dkg at
Sun May 11 15:58:50 CEST 2014

On 05/11/2014 06:01 AM, Nicholas Cole wrote:

> This is a question that comes out of my own ignorance, but what stops one
> user on a system maliciously connecting to another user's gpg-agent, and is
> this mechanism secure on all platforms?

there are at least two mechanisms that can be used: filesystem
permissions, and socket peer credentials (e.g.SO_PEERCRED).  All
unix-style systems will support filesystem permissions.  Not all unix
systems support socket peer credentials.

here's how filesystem permissions work:  the directory that the socket
lives in is unreadable and unwritable and untraversable by anyone but
the owner. this protects access to the socket.

for example:

0 dkg at alice:~$ cat .gnupg/gpg-agent-info
GPG_AGENT_INFO=/tmp/gpg-gXXXXX/S.gpg-agent:6869:1; export GPG_AGENT_INFO;
0 dkg at alice:~$ ls -la /tmp/gpg-XXXXX/
total 0
drwx------ 2 dkg  dkg   60 May 10 13:19 .
drwxrwxrwt 9 root root 260 May 11 10:45 ..
srwxr-xr-x 1 dkg  dkg    0 May 10 13:19 S.gpg-agent
0 dkg at alice:~$

socket peer credentials are derived from the socket by libassuan, which
abstracts away the several different forms of socket peer credentials
that different OSes use (see src/assuan-socket-server.c from

In the master branch, dirmngr appears to use assuan's report of the
socket's peer credentials.  From a quick scan of the source, I don't
think it is used in gnupg 2.0 or 1.4.  (that is, i think they rely
strictly on the filesystem permissions; hopefully someone more
knowledgeable will correct me if i've got this wrong).



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140511/85af31c9/attachment.sig>

More information about the Gnupg-devel mailing list