[PATCH] Add inside-Emacs mode to GUI pinentry programs

Daiki Ueno ueno at gnu.org
Sat May 30 01:05:16 CEST 2015


Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:

> however, doing this seems like it might open up a possible hole in the
> protections offered by the agent, so i think we need to proceed
> thoughtfully.  If the requester can instruct the agent to talk to
> arbitrary emacs sessions, then an attacker with access to the agent's
> socket can potentially do things like mount password-guessing attacks
> without any visibility to the user.

Thanks for bringing it up.  I think Emacs is secure enough nowadays to
such kind of attacks, i.e., it properly sets up the permission of the
parent directory of a socket, and the client does some checks of the
file owner.  However, we should double-check if it is secure enough for
this use-case, indeed.

By the way, is the envvar restriction really working?  I was curious how
pinentry-gnome3 works without knowing the address of the D-Bus session
bus, since gcr internally uses it to talk to the actual prompter service
implementation (i.e., gnome-shell).

So just tried:

  $ pkill gpg-agent
  $ gpg2 --symmetric -o /dev/null < /dev/null
  ...works ok...

  $ pkill gpg-agent
  $ DBUS_SESSION_BUS_ADDRESS=unix:path=/tmp/invalid \
    gpg2 --symmetric -o /dev/null < /dev/null
  gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
  gpg: It is only intended for test purposes and should NOT be
  gpg: used in a production environment or with production keys!
  gpg: cancelled by user
  gpg: error creating passphrase: Operation cancelled
  gpg: symmetric encryption of '[stdin]' failed: Operation cancelled

I don't see the envvar listed in common/session-env.c, but it seems to
be actually passed to pinentry-gnome3:

  $ DBUS_SESSION_BUS_ADDRESS=unix:path=/tmp/invalid \
    strace -e trace=connect -f gpg2 --symmetric -o /dev/null < /dev/null
  ...
  25983 connect(5, {sa_family=AF_LOCAL, sun_path="/tmp/invalid"}, 110) = -1 ENOENT (No such file or directory)
  ...

Perhaps libassuan/src/system-posix.c:__assuan_spawn should use execve,
instead of execv?

Regards,
-- 
Daiki Ueno



More information about the Gnupg-devel mailing list