Moving the agent's socket to /var/run ?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Jun 8 19:33:47 CEST 2016
On Wed 2016-06-08 09:29:13 -0400, Werner Koch wrote:
> I just pushed some changes to use sockets below /run/user:
> If a [/var]/run/user/$(id -u)/ directory exists, a gnupg subdir is
> created as needed and the permissions of the directories are checked.
> If that all matches that directory name is returned instead of the
> To cope with non standard homedirs (via GNUPGHOME or --homedir) the
> SHA-1 hash of the homedir is computed, left truncated to 120 bits,
> zBase-32 encoded, prefixed with "d.", and appended to
> "[/var]/run/user/$(id -u)/gnupg/". If that directory exists and has
> proper permissions it is returned as socket dir - if not the homedir
> is used. Due to cleanup issues, this directory will not be
> auto-created but needs to be created by the user in advance.
> The required permissions are: directory owned by the user, group and
> others bits not set.
Thanks, these are great changes!
I think i understand the variation with non-standard homedirs, but i
wonder what happens if GNUPGHOME (or --homedir) is set, but it happens
to be exactly the same as the default homedir. At that point, what
directory is used -- the standard directory, the one with the digested
value, or the one actually in the homedir? (or should the digested
value of the default appear automatically as a symlink to .. ?)
Also, is there an easy/automated way to query gpg for the hashed
directory? it'd be nice for external tools to be able to do something
gpgconf --homedir $foo --print-socket-dir
instead of re-implementing the logic you've described above.
Is the ssh-agent socket also placed inside the socket dir, or always in
the non-custom location?
> If you are using gpg-agent for ssh, remember to change the envvar to the
> new place:
> export SSH_AUTH_SOCK
> This envvar is actually a bit annoying and thus I would appreciate if
> Debian could change ssh to try the above socket if for example
> SSH_AUTH_SOCK is set to "gpg-agent" or some other magic.
That's an interesting proposal, though i'm not sure that debian is the
right place to do it. Why not propose such a change to upstream
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 948 bytes
Desc: not available
More information about the Gnupg-devel