Moving the agent's socket to /var/run ?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jun 8 19:33:47 CEST 2016 

Hi Werner--

On Wed 2016-06-08 09:29:13 -0400, Werner Koch wrote:

> I just pushed some changes to use sockets below /run/user:
>
>     If a [/var]/run/user/$(id -u)/ directory exists, a gnupg subdir is
>     created as needed and the permissions of the directories are checked.
>     If that all matches that directory name is returned instead of the
>     homedir.
>     
>     To cope with non standard homedirs (via GNUPGHOME or --homedir) the
>     SHA-1 hash of the homedir is computed, left truncated to 120 bits,
>     zBase-32 encoded, prefixed with "d.", and appended to
>     "[/var]/run/user/$(id -u)/gnupg/".  If that directory exists and has
>     proper permissions it is returned as socket dir - if not the homedir
>     is used.  Due to cleanup issues, this directory will not be
>     auto-created but needs to be created by the user in advance.
>     
>     The required permissions are: directory owned by the user, group and
>     others bits not set.

Thanks, these are great changes!

I think i understand the variation with non-standard homedirs, but i
wonder what happens if GNUPGHOME (or --homedir) is set, but it happens
to be exactly the same as the default homedir.  At that point, what
directory is used -- the standard directory, the one with the digested
value, or the one actually in the homedir?  (or should the digested
value of the default appear automatically as a symlink to .. ?)

Also, is there an easy/automated way to query gpg for the hashed
directory?  it'd be nice for external tools to be able to do something
like:

  gpgconf --homedir $foo --print-socket-dir

instead of re-implementing the logic you've described above.

Is the ssh-agent socket also placed inside the socket dir, or always in
the non-custom location?

> If you are using gpg-agent for ssh, remember to change the envvar to the
> new place:
>
>   SSH_AUTH_SOCK="/run/user/${UID}/gnupg/S.gpg-agent.ssh"
>   export SSH_AUTH_SOCK
>
> This envvar is actually a bit annoying and thus I would appreciate if
> Debian could change ssh to try the above socket if for example
> SSH_AUTH_SOCK is set to "gpg-agent" or some other magic.

That's an interesting proposal, though i'm not sure that debian is the
right place to do it.  Why not propose such a change to upstream
OpenSSH?

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20160608/a125c739/attachment.sig>

More information about the Gnupg-devel mailing list