Agent socket security

Werner Koch wk at gnupg.org
Mon May 12 12:25:38 CEST 2014


On Sun, 11 May 2014 15:58, dkg at fifthhorseman.net said:

> think it is used in gnupg 2.0 or 1.4.  (that is, i think they rely
> strictly on the filesystem permissions; hopefully someone more
> knowledgeable will correct me if i've got this wrong).

That is correct.  The sockets are created in the ~/.gnupg directly which
should have appropriate permissions anyway (gpg shows a warning if not)
or in a temporary directly created for the user.  Obviously the umask
should now allow others to write to the socket.

The dirmngr is either a system wide daemon and creates a socket below
/var/run/gnupg or creates the socket below ~/.gnupg.  Dirmngr is by
design a system wide services but with 2.1 the default changes to be a
per-user service.

Under Windows file system permissions are used in a similar way.
Actually a plain file is used which has a local TCP port number and a
nonce to emulate Unix style sockets.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-devel mailing list