Agent socket security
Werner Koch
wk at gnupg.org
Mon May 12 12:25:38 CEST 2014
On Sun, 11 May 2014 15:58, dkg at fifthhorseman.net said:
> think it is used in gnupg 2.0 or 1.4. (that is, i think they rely
> strictly on the filesystem permissions; hopefully someone more
> knowledgeable will correct me if i've got this wrong).
That is correct. The sockets are created in the ~/.gnupg directly which
should have appropriate permissions anyway (gpg shows a warning if not)
or in a temporary directly created for the user. Obviously the umask
should now allow others to write to the socket.
The dirmngr is either a system wide daemon and creates a socket below
/var/run/gnupg or creates the socket below ~/.gnupg. Dirmngr is by
design a system wide services but with 2.1 the default changes to be a
per-user service.
Under Windows file system permissions are used in a similar way.
Actually a plain file is used which has a local TCP port number and a
nonce to emulate Unix style sockets.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-devel
mailing list